On 2 Sep 2014 03:08, "Donald Stufft" <don...@stufft.io> wrote: > > >> On Sep 1, 2014, at 1:01 PM, Christian Heimes <christ...@python.org> wrote: >> >> On 01.09.2014 17:35, Nick Coghlan wrote: >>> >>> Oh, now I get what you mean - yes, sitecustomize already poses the same >>> kind of problem as the proposed sslcustomize (hence the existence of the >>> related command line options). >> >> >> If an attacker is able to place a module like sitecustomize.py in an >> import directory or any .pth file in a site-packages directory than this >> Python installation is compromised. .pth files are insidious because >> they are always loaded and their code is always executed. I don't see >> how sslcustomize is going to make a difference here. >> > > Right, this is the point I was trying to make. If you’ve installed a malicious > package it’s game over. There’s nothing Python can do to help you.
Yes, that's what I said originally when pointing out that isolated mode and the switch to disable site module processing would need to disable sslcustomize processing as well. Antoine was replying to a side comment about it being tricky to shadow stdlib modules. I left out the qualifier "directly" in my original comment, and he left out "indirectly through sitecustomize" in his initial reply, so we were talking past each for a while. Cheers, Nick. > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
