Marc-Andre Lemburg added the comment: On 29.06.2015 21:30, Min RK wrote: > > .pth files currently allow execution of arbitrary code, triggered by lines > starting with `import`. This is a rarely understood, and often misbehaving > feature. easy_install has used this feature to ensure that its packages are > highest priority (even higher than stdlib). This is one of the unfortunate > behaviors that pip undoes from easy_install, in part due to the problems it > can cause. There is currently a proposal in setuptools to stop using this, > even for easy_install. > > The attached patch removes support for executing code in .pth files, throwing > an ImportWarning if any such attempts at import are seen.
Such a change will require a PEP, since it's an essential feature that has been documented for a very long time: https://docs.python.org/3.5/library/site.html and is used by a lot of existing setuptools installations, which would break if Python were to remove support for this. The PEP would also need to address the reasons for removing the feature, e.g. explain possible attack vectors, confusion caused by this, etc. You can then reference this patch in the PEP. Thanks, -- Marc-Andre Lemburg eGenix.com ---------- nosy: +lemburg _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24534> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
