A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only ( https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome. As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
El jue, 14 abr 2022 a las 11:47, Brett Cannon (<brett@python.org>) escribió:
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
Agree on deprecating. I searched grep.app and found no significant usage. Do you know why this module wasn't included in PEP 594? Should we do another audit of old modules to deprecate them before they cause problems?
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/
I searched grep.app and found no significant usage.
Maybe someone wants to inform mitmproxy? It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas... On Thu, Apr 14, 2022 at 3:06 PM Jelle Zijlstra <jelle.zijlstra@gmail.com> wrote:
El jue, 14 abr 2022 a las 11:47, Brett Cannon (<brett@python.org>) escribió:
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
Agree on deprecating. I searched grep.app and found no significant usage.
Do you know why this module wasn't included in PEP 594? Should we do another audit of old modules to deprecate them before they cause problems?
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ON7R7LD7... Code of Conduct: http://python.org/psf/codeofconduct/
El jue, 14 abr 2022 a las 12:21, Damian Shaw (<damian.peter.shaw@gmail.com>) escribió:
I searched grep.app and found no significant usage.
Maybe someone wants to inform mitmproxy?
It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap
https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas...
Thanks for catching that! I missed it because I mistakenly searched for '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to the security issue because it only passes a filename from mkstemp() to mailcap, and hopefully mkstemp filenames don't have shell metacharacters in them. However, if we deprecate mailcap mitmproxy will have to change their code. El jue, 14 abr 2022 a las 13:33, Guido van Rossum (<guido@python.org>) escribió:
Probably because it’s not a top level module — it’s inside the email package.
It's in fact a top-level module.
Whoops, you’re right. I suppose I should have no opinion on whether to deprecate it; I haven’t thought about it for over two decades… On Thu, Apr 14, 2022 at 16:33 Jelle Zijlstra <jelle.zijlstra@gmail.com> wrote:
El jue, 14 abr 2022 a las 12:21, Damian Shaw (<damian.peter.shaw@gmail.com>) escribió:
I searched grep.app and found no significant usage.
Maybe someone wants to inform mitmproxy?
It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap
https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas...
Thanks for catching that! I missed it because I mistakenly searched for '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to the security issue because it only passes a filename from mkstemp() to mailcap, and hopefully mkstemp filenames don't have shell metacharacters in them. However, if we deprecate mailcap mitmproxy will have to change their code.
El jue, 14 abr 2022 a las 13:33, Guido van Rossum (<guido@python.org>) escribió:
Probably because it’s not a top level module — it’s inside the email package.
It's in fact a top-level module.
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/25FNDJBE... Code of Conduct: http://python.org/psf/codeofconduct/
-- --Guido (mobile)
On Thu, Apr 14, 2022 at 12:04 Jelle Zijlstra <jelle.zijlstra@gmail.com> wrote:
El jue, 14 abr 2022 a las 11:47, Brett Cannon (<brett@python.org>) escribió:
Do you know why this module wasn't included in PEP 594?
Probably because it’s not a top level module — it’s inside the email package. Should we do another audit of old modules to deprecate them before they
cause problems?
-- --Guido (mobile)
+1 add it to the 3.11 deprecations and proactively reach out to the mitmproxy owners. (internal code search: aside from mitmproxy I only see a _single_ use of this in our codebase and it was simply convenient but has a clear simpler alternative assuming that ~2008 era code is even still in use) -gps On Thu, Apr 14, 2022 at 11:49 AM Brett Cannon <brett@python.org> wrote:
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections? _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/
After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78... . On Thu, Apr 14, 2022 at 11:44 AM Brett Cannon <brett@python.org> wrote:
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon <brett@python.org> wrote:
After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78... .
Good. I proposed https://github.com/python/cpython/pull/91951 to implement the deprecation in Python 3.11. Fixing or documenting the shell injection vulnerability CVE-2015-20107 is still being discussed at: https://github.com/python/cpython/issues/68966 Victor
I didn't spot anyone else report this to mitmproxy so I raised an issue to make them aware: https://github.com/mitmproxy/mitmproxy/issues/5297 On Tue, Apr 26, 2022 at 3:30 AM Victor Stinner <vstinner@python.org> wrote:
On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon <brett@python.org> wrote:
After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78... .
Good. I proposed https://github.com/python/cpython/pull/91951 to implement the deprecation in Python 3.11.
Fixing or documenting the shell injection vulnerability CVE-2015-20107 is still being discussed at: https://github.com/python/cpython/issues/68966
Victor _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/Y4IAWAWY... Code of Conduct: http://python.org/psf/codeofconduct/
participants (6)
-
Brett Cannon -
Damian Shaw -
Gregory P. Smith -
Guido van Rossum -
Jelle Zijlstra -
Victor Stinner