A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only ( https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome. As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
El jue, 14 abr 2022 a las 11:47, Brett Cannon (
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
Agree on deprecating. I searched grep.app and found no significant usage. Do you know why this module wasn't included in PEP 594? Should we do another audit of old modules to deprecate them before they cause problems?
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/
I searched grep.app and found no significant usage.
Maybe someone wants to inform mitmproxy?
It's a very popular tool and it comes up using that tool when searching for
"import mailcap" using grep.app:
https://grep.app/search?q=import%20mailcap
https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas...
On Thu, Apr 14, 2022 at 3:06 PM Jelle Zijlstra
El jue, 14 abr 2022 a las 11:47, Brett Cannon (
) escribió: A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
Agree on deprecating. I searched grep.app and found no significant usage.
Do you know why this module wasn't included in PEP 594? Should we do another audit of old modules to deprecate them before they cause problems?
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ON7R7LD7... Code of Conduct: http://python.org/psf/codeofconduct/
On Thu, Apr 14, 2022 at 12:04 Jelle Zijlstra
El jue, 14 abr 2022 a las 11:47, Brett Cannon (
) escribió: Do you know why this module wasn't included in PEP 594?
Probably because it’s not a top level module — it’s inside the email package. Should we do another audit of old modules to deprecate them before they
cause problems?
-- --Guido (mobile)
+1 add it to the 3.11 deprecations and proactively reach out to the
mitmproxy owners.
(internal code search: aside from mitmproxy I only see a _single_ use of
this in our codebase and it was simply convenient but has a clear simpler
alternative assuming that ~2008 era code is even still in use)
-gps
On Thu, Apr 14, 2022 at 11:49 AM Brett Cannon
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections? _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/
El jue, 14 abr 2022 a las 12:21, Damian Shaw (
I searched grep.app and found no significant usage.
Maybe someone wants to inform mitmproxy?
It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap
https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas...
Thanks for catching that! I missed it because I mistakenly searched for
'"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to
the security issue because it only passes a filename from mkstemp() to
mailcap, and hopefully mkstemp filenames don't have shell metacharacters in
them. However, if we deprecate mailcap mitmproxy will have to change their
code.
El jue, 14 abr 2022 a las 13:33, Guido van Rossum (
Probably because it’s not a top level module — it’s inside the email package.
It's in fact a top-level module.
Whoops, you’re right. I suppose I should have no opinion on whether to
deprecate it; I haven’t thought about it for over two decades…
On Thu, Apr 14, 2022 at 16:33 Jelle Zijlstra
El jue, 14 abr 2022 a las 12:21, Damian Shaw (
) escribió: I searched grep.app and found no significant usage.
Maybe someone wants to inform mitmproxy?
It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap
https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas...
Thanks for catching that! I missed it because I mistakenly searched for '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to the security issue because it only passes a filename from mkstemp() to mailcap, and hopefully mkstemp filenames don't have shell metacharacters in them. However, if we deprecate mailcap mitmproxy will have to change their code.
El jue, 14 abr 2022 a las 13:33, Guido van Rossum (
) escribió: Probably because it’s not a top level module — it’s inside the email package.
It's in fact a top-level module.
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/25FNDJBE... Code of Conduct: http://python.org/psf/codeofconduct/
-- --Guido (mobile)
After talking about this in the SC today, we agreed to deprecate mailcap
under the auspices of PEP 594:
https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78...
.
On Thu, Apr 14, 2022 at 11:44 AM Brett Cannon
A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.
As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?
On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon
After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78... .
Good. I proposed https://github.com/python/cpython/pull/91951 to implement the deprecation in Python 3.11. Fixing or documenting the shell injection vulnerability CVE-2015-20107 is still being discussed at: https://github.com/python/cpython/issues/68966 Victor
I didn't spot anyone else report this to mitmproxy so I raised an issue to
make them aware: https://github.com/mitmproxy/mitmproxy/issues/5297
On Tue, Apr 26, 2022 at 3:30 AM Victor Stinner
On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon
wrote: After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78... .
Good. I proposed https://github.com/python/cpython/pull/91951 to implement the deprecation in Python 3.11.
Fixing or documenting the shell injection vulnerability CVE-2015-20107 is still being discussed at: https://github.com/python/cpython/issues/68966
Victor _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/Y4IAWAWY... Code of Conduct: http://python.org/psf/codeofconduct/
participants (6)
-
Brett Cannon
-
Damian Shaw
-
Gregory P. Smith
-
Guido van Rossum
-
Jelle Zijlstra
-
Victor Stinner