[Python-Dev] Re: Proposal to deprecate mailcap
I didn't spot anyone else report this to mitmproxy so I raised an issue to make them aware: https://github.com/mitmproxy/mitmproxy/issues/5297 On Tue, Apr 26, 2022 at 3:30 AM Victor Stinner wrote: > On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon wrote: > > After talking about this in the SC today, we agreed to deprecate mailcap > under the auspices of PEP 594: > https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c7822 > . > > Good. I proposed https://github.com/python/cpython/pull/91951 to > implement the deprecation in Python 3.11. > > Fixing or documenting the shell injection vulnerability CVE-2015-20107 > is still being discussed at: > https://github.com/python/cpython/issues/68966 > > Victor > ___ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/Y4IAWAWYTNKSIAVTXJGV2ZMQTFV5WYTT/ > Code of Conduct: http://python.org/psf/codeofconduct/ > ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/INWQMSKTJCJGSVIZUDKV5V6FIJVYO3VA/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon wrote: > After talking about this in the SC today, we agreed to deprecate mailcap > under the auspices of PEP 594: > https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c7822 > . Good. I proposed https://github.com/python/cpython/pull/91951 to implement the deprecation in Python 3.11. Fixing or documenting the shell injection vulnerability CVE-2015-20107 is still being discussed at: https://github.com/python/cpython/issues/68966 Victor ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/Y4IAWAWYTNKSIAVTXJGV2ZMQTFV5WYTT/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c7822 . On Thu, Apr 14, 2022 at 11:44 AM Brett Cannon wrote: > A CVE has been opened against mailcap (see > https://github.com/python/cpython/issues/68966 for details). I'm not > aware of anyone trying to maintain the module and Victor did a search > online and didn't find any use of the module in the top 5000 projects on > PyPI (see the issue). The module is also under 300 lines of Python code > that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), > so vendoring wouldn't be burdensome. > > As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. > Any explicit objections? > ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/I32FOGSHZWPQYFWHXVR7BGQ3IHRD7VJY/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
Whoops, you’re right. I suppose I should have no opinion on whether to deprecate it; I haven’t thought about it for over two decades… On Thu, Apr 14, 2022 at 16:33 Jelle Zijlstra wrote: > > > El jue, 14 abr 2022 a las 12:21, Damian Shaw () > escribió: > >> > I searched grep.app and found no significant usage. >> >> Maybe someone wants to inform mitmproxy? >> >> It's a very popular tool and it comes up using that tool when searching >> for "import mailcap" using grep.app: >> https://grep.app/search?q=import%20mailcap >> >> https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/master.py#L2 >> > > Thanks for catching that! I missed it because I mistakenly searched for > '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to > the security issue because it only passes a filename from mkstemp() to > mailcap, and hopefully mkstemp filenames don't have shell metacharacters in > them. However, if we deprecate mailcap mitmproxy will have to change their > code. > > El jue, 14 abr 2022 a las 13:33, Guido van Rossum () > escribió: > >> Probably because it’s not a top level module — it’s inside the email >> package. >> > It's in fact a top-level module. > > ___ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/25FNDJBERE5PLBP3VX3JQ7ER2LNE2K2O/ > Code of Conduct: http://python.org/psf/codeofconduct/ > -- --Guido (mobile) ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/AAIXGR57BXDULXPTJJN4LBTVR4KVFPED/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
El jue, 14 abr 2022 a las 12:21, Damian Shaw () escribió: > > I searched grep.app and found no significant usage. > > Maybe someone wants to inform mitmproxy? > > It's a very popular tool and it comes up using that tool when searching > for "import mailcap" using grep.app: > https://grep.app/search?q=import%20mailcap > > https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/master.py#L2 > Thanks for catching that! I missed it because I mistakenly searched for '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to the security issue because it only passes a filename from mkstemp() to mailcap, and hopefully mkstemp filenames don't have shell metacharacters in them. However, if we deprecate mailcap mitmproxy will have to change their code. El jue, 14 abr 2022 a las 13:33, Guido van Rossum () escribió: > Probably because it’s not a top level module — it’s inside the email > package. > It's in fact a top-level module. ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/25FNDJBERE5PLBP3VX3JQ7ER2LNE2K2O/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
+1 add it to the 3.11 deprecations and proactively reach out to the mitmproxy owners. (internal code search: aside from mitmproxy I only see a _single_ use of this in our codebase and it was simply convenient but has a clear simpler alternative assuming that ~2008 era code is even still in use) -gps On Thu, Apr 14, 2022 at 11:49 AM Brett Cannon wrote: > A CVE has been opened against mailcap (see > https://github.com/python/cpython/issues/68966 for details). I'm not > aware of anyone trying to maintain the module and Victor did a search > online and didn't find any use of the module in the top 5000 projects on > PyPI (see the issue). The module is also under 300 lines of Python code > that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), > so vendoring wouldn't be burdensome. > > As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. > Any explicit objections? > ___ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DBWSTBIOPQL5QTBSIOBORWSCMJ/ > Code of Conduct: http://python.org/psf/codeofconduct/ > ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/GG2JGVJPKEGS4P5ASSLJGGWUOO2JBCBJ/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
On Thu, Apr 14, 2022 at 12:04 Jelle Zijlstra wrote: > > > El jue, 14 abr 2022 a las 11:47, Brett Cannon () > escribió: > >> Do you know why this module wasn't included in PEP 594? > Probably because it’s not a top level module — it’s inside the email package. Should we do another audit of old modules to deprecate them before they > cause problems? > -- --Guido (mobile) ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ZMSD2LZ3SRM6E3W3Z2VDEKZIMVLO6VZW/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
> I searched grep.app and found no significant usage. Maybe someone wants to inform mitmproxy? It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/master.py#L2 On Thu, Apr 14, 2022 at 3:06 PM Jelle Zijlstra wrote: > > > El jue, 14 abr 2022 a las 11:47, Brett Cannon () > escribió: > >> A CVE has been opened against mailcap (see >> https://github.com/python/cpython/issues/68966 for details). I'm not >> aware of anyone trying to maintain the module and Victor did a search >> online and didn't find any use of the module in the top 5000 projects on >> PyPI (see the issue). The module is also under 300 lines of Python code >> that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), >> so vendoring wouldn't be burdensome. >> >> As such, I'm proposing we deprecate mailcap in 3.11 and remove it in >> 3.13. Any explicit objections? >> > > Agree on deprecating. I searched grep.app and found no significant usage. > > Do you know why this module wasn't included in PEP 594? Should we do > another audit of old modules to deprecate them before they cause problems? > > >> ___ >> Python-Dev mailing list -- python-dev@python.org >> To unsubscribe send an email to python-dev-le...@python.org >> https://mail.python.org/mailman3/lists/python-dev.python.org/ >> Message archived at >> https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DBWSTBIOPQL5QTBSIOBORWSCMJ/ >> Code of Conduct: http://python.org/psf/codeofconduct/ >> > ___ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/ON7R7LD7OVPOF5XXPXJWE7AKCRAPQ7IN/ > Code of Conduct: http://python.org/psf/codeofconduct/ > ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/MRW7DDFMD4G4D46AIRO3JICFKK5HSN6X/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-Dev] Re: Proposal to deprecate mailcap
El jue, 14 abr 2022 a las 11:47, Brett Cannon () escribió: > A CVE has been opened against mailcap (see > https://github.com/python/cpython/issues/68966 for details). I'm not > aware of anyone trying to maintain the module and Victor did a search > online and didn't find any use of the module in the top 5000 projects on > PyPI (see the issue). The module is also under 300 lines of Python code > that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), > so vendoring wouldn't be burdensome. > > As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. > Any explicit objections? > Agree on deprecating. I searched grep.app and found no significant usage. Do you know why this module wasn't included in PEP 594? Should we do another audit of old modules to deprecate them before they cause problems? > ___ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DBWSTBIOPQL5QTBSIOBORWSCMJ/ > Code of Conduct: http://python.org/psf/codeofconduct/ > ___ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ON7R7LD7OVPOF5XXPXJWE7AKCRAPQ7IN/ Code of Conduct: http://python.org/psf/codeofconduct/