STINNER Victor <vstin...@python.org> added the comment:
I'm not saying that this issue is not a vulnerability, just that the scope is limited. By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of "./python -m test". Impacted: * "make testall", "make testuniversal" and "make buildbottest" commands are impacted (pass -u all to the test suite). * Python buildbot workers are impacted: they run the "make buildbottest" command. * Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)". * Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): run "-uall,-cpu". * Azure Pipelines jobs are impacted: use -uall,-cpu. > https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168 Fedora packages are not impacted: no -u option is passed to the test suite. > Anyone building with --enable-optimizations (PGO) will likely do so as well, > though I'm not sure if that runs this part of the testsuite. PGO build is not impacted, it uses "./python -m test --pgo" (download is disabled). Moreover, multibyte codec checks are not run by this command (see Lib/test/libregrtest/pgo.py, only test_codecs of codec tests is run). ---------- nosy: +pablogsal, zach.ware _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41944> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
