On Wed, 30 Oct 2019 at 08:32, Steven D'Aprano <st...@pearwood.info> wrote: > > On Wed, Oct 30, 2019 at 08:12:12AM +0000, Paul Moore wrote: > > > > If you add a module with the same name as a stdlib module to sys.path, > > current semantics are that the stdlib wins. > > I don't think so... shadowing of the stdlib by accident is a common > problem.
That's the script directory, which is a (slightly) different issue - the script directory is placed ahead of the stdlib on sys.path, but other install directories come later. Like you say, shadowing via things in the script directory is a relatively well-known issue, and that wasn't the point I was trying to demonstrate here. > > The proposed semantics > > would allow the added module to *add* functions (in effect). Consider > > a malicious module that adds names that match common typos for stdlib > > functions. Such a module could cause a typo in user code to trigger an > > exploit, rather than simply failing. While unlikely to happen, this > > has the potential to be a new security vulnerability. > > If an attacker can write files in sys.path, they've already won :-) Conceded. Although the normal attack vector is to get someone to import your malicious package. With this change, there's a new attack vector, getting someone to reference an undefined name from a trusted package. As I said, though, it's unlikely, and just a *potential* issue. I think the other points made (in particular the ones in your original mail that I replied to) make the point sufficiently that this change is not a good idea, regardless of the validity of the security risk. Paul _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/E2WH7XXZE7QKEWCNUAHE5L2MAGDEZY7R/ Code of Conduct: http://python.org/psf/codeofconduct/
