[issue45131] `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously

[Filipe Laíns]

Change by Filipe Laíns :


--
nosy: +dstufft, ncoghlan, pradyunsg

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45131] `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously

[Sean Kelly]

New submission from Sean Kelly :

Creating a new virtual environment with the `venv` module reads any local 
`setup.cfg` file that may be found; if such a file has garbage, the `venv` 
fails with a mysterious message. 

Reproduce:

```
$ date -u
Tue Sep  7 18:12:27 UTC 2021
$ mkdir /tmp/demo
$ cd /tmp/demo
$ echo 'a < b' >setup.cfg
$ python3 -V
Python 3.9.5
$ python3 -m venv venv
Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', 
'--upgrade', '--default-pip']' returned non-zero exit status 1.
```

(Took me a little while to figure out I had some garbage in a `setup.cfg` file 
in $CWD that was causing it.)

Implications:

Potential implications are that a specially crafted `setup.cfg` might cause a 
security-compromised virtual environment to be created maybe? I don't know.

--
messages: 401320
nosy: nutjob4life
priority: normal
severity: normal
status: open
title: `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
type: behavior
versions: Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com