On 2019-10-30 02:50, Paul Moore wrote:
If an attacker can write files in sys.path, they've already won :-)
Conceded. Although the normal attack vector is to get someone to
import your malicious package. With this change, there's a new attack
vector, getting someone to reference an undefined name from a trusted
package. As I said, though, it's unlikely, and just a *potential*
issue.
There's nothing new about that either, though. Any imported module can
already monkeypatch a stdlib module to add such typo-names and map them
to malicious functions.
--
Brendan Barnwell
"Do not follow where the path may lead. Go, instead, where there is no
path, and leave a trail."
--author unknown
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/GF7ISYJI75QHEHXDZU4YODAJILK67BA5/
Code of Conduct: http://python.org/psf/codeofconduct/
