On 23/08/2017 20:36, John Torakis wrote: > Yeah, I am a security researcher, I am keen on backdoor programming and > staging and all that! It is my official job and research topic! I go to > the office and code such stuff! I am not a blackhat, nor a security > enthusiast, it is my job. > > > First of all, let's all agree that if someone can run Python code in > your computer you are 100% hacked! It is irrelevant if "httpimport" is a > core python feature or not in that case. > > Now, I agree that this can be exploited if used under plain HTTP, it is > a MiTM -> Remote code execution case. I admit that this is not bright. > But I mention that this can be used in testing. > > On the topic of HTTPS, man-in-the-middle is not possible without > previous Trusted Certificate compromise. Github can be trusted 100% > percent for example. A certificate check has to take place in the HTTPS > remote loading for sure! > > When I said a "core feature" I meant that the "httpimport" module would > deliver with the core modules. Not that the Finder/Loader has to be in > the list of Finders/Loaders that are used by default! For god sake, I > wouldn't like my PC to start probing for modules just because I mistyped > an import line! > > I know that pip works nicely, especially when paired with virtual > environments, but ad-hoc importing is another another thing. It isn't > meant for delivering real projects. Just for testing modules without the > need to download them, maybe install them, and all. > > > Thank you for your time, > John Torakis > > > On 23/08/2017 20:17, Chris Angelico wrote: >> On Thu, Aug 24, 2017 at 2:55 AM, John Torakis <john.tora...@gmail.com> wrote: >>> Hello all! >>> >>> Today I opened an issue in bugs.python.org >>> (http://bugs.python.org/issue31264) proposing a module I created for >>> remote package/module imports through standard HTTP/S. >>> >>> The concept is that, if a directory is served through HTTP/S (the way >>> SimpleHTTPServer module serves directories), a Finder/Loader object can >>> fetch Python files from that directory using HTTP requests, and finally >>> load them as modules (or packages) in the running namespace. >>> >>> The repo containing a primitive (but working) version of the >>> Finder/Loader, also contains self explanatory examples (in the README.md): >>> >>> https://github.com/operatorequals/httpimport >>> >>> >>> My proposal is that this module can become a core Python feature, >>> providing a way to load modules even from Github.com repositories, >>> without the need to "git clone - setup.py install" them. >>> >>> >>> Other languages, like golang, provide this functionality from their >>> early days (day one?). Python development can be greatly improved if a >>> "try before pip installing" mechanism gets in place, as it will add a >>> lot to the REPL nature of the testing/experimenting process. >> As a core feature? No no no no no no no no. Absolutely do NOT WANT >> THIS. This is a security bug magnet; can you imagine trying to ensure >> that malicious code is not executed, in an arbitrary execution >> context? As an explicitly-enabled feature, it's a lot less hairy than >> a permanently-active one (can you IMAGINE how terrifying that would >> be?), but even so, trying to prove that addRemoteRepo (not a >> PEP8-compliant name, btw) is getting the correct code is not going to >> be easy. You have to (a) drop HTTP altogether and mandate SSL and (b) >> be absolutely sure that your certificate chains are 100% dependable, >> which - as we've seen recently - is a nontrivial task. >> >> The easiest way to add remote code is pip. For most packages, that's >> what you want to be using: >> >> pip install requests >> >> will make "import requests" functional. I don't see pip mentioned >> anywhere in your README, but you do mention the testing of pull >> requests, so at very least, this wants some explanatory screed. >> >> But I'm not entirely sure I want to support this. You're explicitly >> talking about using this with the creation of backdoors... in what, >> exactly? What are you actually getting at here? >> >> ChrisA >> _______________________________________________ >> Python-ideas mailing list >> Python-ideas@python.org >> https://mail.python.org/mailman/listinfo/python-ideas >> Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
