I searched grep.app and found no significant usage.

Maybe someone wants to inform mitmproxy? It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas... On Thu, Apr 14, 2022 at 3:06 PM Jelle Zijlstra wrote:

El jue, 14 abr 2022 a las 11:47, Brett Cannon () escribió:

...

A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.

As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections?

Agree on deprecating. I searched grep.app and found no significant usage.

Do you know why this module wasn't included in PEP 594? Should we do another audit of old modules to deprecate them before they cause problems?

...

_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/

_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ON7R7LD7... Code of Conduct: http://python.org/psf/codeofconduct/

+1 add it to the 3.11 deprecations and proactively reach out to the mitmproxy owners. (internal code search: aside from mitmproxy I only see a _single_ use of this in our codebase and it was simply convenient but has a clear simpler alternative assuming that ~2008 era code is even still in use) -gps On Thu, Apr 14, 2022 at 11:49 AM Brett Cannon wrote:

A CVE has been opened against mailcap (see https://github.com/python/cpython/issues/68966 for details). I'm not aware of anyone trying to maintain the module and Victor did a search online and didn't find any use of the module in the top 5000 projects on PyPI (see the issue). The module is also under 300 lines of Python code that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py), so vendoring wouldn't be burdensome.

As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13. Any explicit objections? _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DB... Code of Conduct: http://python.org/psf/codeofconduct/

Whoops, you’re right. I suppose I should have no opinion on whether to deprecate it; I haven’t thought about it for over two decades… On Thu, Apr 14, 2022 at 16:33 Jelle Zijlstra wrote:

El jue, 14 abr 2022 a las 12:21, Damian Shaw () escribió:

...

...

I searched grep.app and found no significant usage.

Maybe someone wants to inform mitmproxy?

It's a very popular tool and it comes up using that tool when searching for "import mailcap" using grep.app: https://grep.app/search?q=import%20mailcap

https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/mas...

Thanks for catching that! I missed it because I mistakenly searched for '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to the security issue because it only passes a filename from mkstemp() to mailcap, and hopefully mkstemp filenames don't have shell metacharacters in them. However, if we deprecate mailcap mitmproxy will have to change their code.

El jue, 14 abr 2022 a las 13:33, Guido van Rossum () escribió:

...

Probably because it’s not a top level module — it’s inside the email package.

It's in fact a top-level module.

_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/25FNDJBE... Code of Conduct: http://python.org/psf/codeofconduct/

-- --Guido (mobile)

On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon wrote:

After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c78... .

Good. I proposed https://github.com/python/cpython/pull/91951 to implement the deprecation in Python 3.11. Fixing or documenting the shell injection vulnerability CVE-2015-20107 is still being discussed at: https://github.com/python/cpython/issues/68966 Victor