ctypes compatibility with 2.3
I am working on <https://bugs.python.org/issue22636>, to fix shell injection problems with ctypes.util.find_library(). The proposal for Python 3 is to change os.popen(shell-script) calls to use subprocess.Popen(). However the Python 2.7 version of the module has a comment which says “This file should be kept compatible with Python 2.3, see PEP 291.” Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not clear why we have to maintain this compatibility. My best guess is that there may be an external ctypes package that people want(ed) to keep compatible with 2.3, and also keep synchronized with 2.7. I would like to lift this restriction to at least 2.4, because that is when the “subprocess” module was added. I notice that there is already code that relies on the list.sort(key=...) feature, which was added in 2.4. Ideally I would prefer to drop the restriction and only require 2.7 compatibility. Would either of these options be a problem? If it is a problem, I think it is still possible to avoid the shell by passing a sequence of program arguments to os.popen(). But I prefer not to do this, because the function is marked as deprecated, and the code would be substantially different to Python 3. -Martin
On Tue, 10 May 2016 at 01:18 Martin Panter <vadmium+py@gmail.com> wrote:
I am working on <https://bugs.python.org/issue22636>, to fix shell injection problems with ctypes.util.find_library(). The proposal for Python 3 is to change os.popen(shell-script) calls to use subprocess.Popen().
However the Python 2.7 version of the module has a comment which says “This file should be kept compatible with Python 2.3, see PEP 291.” Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not clear why we have to maintain this compatibility. My best guess is that there may be an external ctypes package that people want(ed) to keep compatible with 2.3, and also keep synchronized with 2.7.
That's correct and the maintainer is/was Thomas Heller who I have cc'ed to see if he's okay with lifting the restriction. -Brett
Am 10.05.2016 um 19:39 schrieb Brett Cannon:
On Tue, 10 May 2016 at 01:18 Martin Panter <vadmium+py@gmail.com <mailto:vadmium%2Bpy@gmail.com>> wrote:
I am working on <https://bugs.python.org/issue22636>, to fix shell injection problems with ctypes.util.find_library(). The proposal for Python 3 is to change os.popen(shell-script) calls to use subprocess.Popen().
However the Python 2.7 version of the module has a comment which says “This file should be kept compatible with Python 2.3, see PEP 291.” Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not clear why we have to maintain this compatibility. My best guess is that there may be an external ctypes package that people want(ed) to keep compatible with 2.3, and also keep synchronized with 2.7.
That's correct and the maintainer is/was Thomas Heller who I have cc'ed to see if he's okay with lifting the restriction.
For me it is totally ok to lift this restriction. Thomas
On Wed, 11 May 2016 at 04:35 Thomas Heller <theller@ctypes.org> wrote:
Am 10.05.2016 um 19:39 schrieb Brett Cannon:
On Tue, 10 May 2016 at 01:18 Martin Panter <vadmium+py@gmail.com <mailto:vadmium%2Bpy@gmail.com>> wrote:
I am working on <https://bugs.python.org/issue22636>, to fix shell injection problems with ctypes.util.find_library(). The proposal for Python 3 is to change os.popen(shell-script) calls to use subprocess.Popen().
However the Python 2.7 version of the module has a comment which says “This file should be kept compatible with Python 2.3, see PEP 291.” Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not clear why we have to maintain this compatibility. My best guess is that there may be an external ctypes package that people want(ed) to keep compatible with 2.3, and also keep synchronized with 2.7.
That's correct and the maintainer is/was Thomas Heller who I have cc'ed to see if he's okay with lifting the restriction.
For me it is totally ok to lift this restriction.
Great! I'll also update PEP 291.
Am 11.05.2016 um 18:04 schrieb Brett Cannon:
On Wed, 11 May 2016 at 04:35 Thomas Heller <theller@ctypes.org <mailto:theller@ctypes.org>> wrote:
Am 10.05.2016 um 19:39 schrieb Brett Cannon: > > > On Tue, 10 May 2016 at 01:18 Martin Panter <vadmium+py@gmail.com <mailto:vadmium%2Bpy@gmail.com> > <mailto:vadmium%2Bpy@gmail.com <mailto:vadmium%252Bpy@gmail.com>>> wrote: > > I am working on <https://bugs.python.org/issue22636>, to fix shell > injection problems with ctypes.util.find_library(). The proposal for > Python 3 is to change os.popen(shell-script) calls to use > subprocess.Popen(). > > However the Python 2.7 version of the module has a comment which says > “This file should be kept compatible with Python 2.3, see PEP 291.” > Looking at <https://www.python.org/dev/peps/pep-0291/>, it is not > clear why we have to maintain this compatibility. My best guess is > that there may be an external ctypes package that people want(ed) to > keep compatible with 2.3, and also keep synchronized with 2.7. > > > That's correct and the maintainer is/was Thomas Heller who I have cc'ed > to see if he's okay with lifting the restriction.
For me it is totally ok to lift this restriction.
Great! I'll also update PEP 291.
Cool. While you're at it, the compatibility restriction for modulefinder could also be lifted.
On Wed, May 11, 2016 at 11:07 AM, Thomas Heller <theller@ctypes.org> wrote: Cool. While you're at it, the compatibility restriction for modulefinder
could also be lifted.
+1 The question of modulefinder actually came up recently*: http://bugs.python.org/issue26881 -- Meador * Posting here for reference. Thomas already knows this as he is on the issue26881 watch list :-)
On Wed, 11 May 2016 at 09:07 Thomas Heller <theller@ctypes.org> wrote:
Am 11.05.2016 um 18:04 schrieb Brett Cannon:
On Wed, 11 May 2016 at 04:35 Thomas Heller <theller@ctypes.org <mailto:theller@ctypes.org>> wrote:
Am 10.05.2016 um 19:39 schrieb Brett Cannon: > > > On Tue, 10 May 2016 at 01:18 Martin Panter <vadmium+py@gmail.com <mailto:vadmium%2Bpy@gmail.com> > <mailto:vadmium%2Bpy@gmail.com <mailto:vadmium%252Bpy@gmail.com>>> wrote: > > I am working on <https://bugs.python.org/issue22636>, to fix
shell
> injection problems with ctypes.util.find_library(). The proposal for > Python 3 is to change os.popen(shell-script) calls to use > subprocess.Popen(). > > However the Python 2.7 version of the module has a comment which says > “This file should be kept compatible with Python 2.3, see PEP 291.” > Looking at <https://www.python.org/dev/peps/pep-0291/>, it is
not
> clear why we have to maintain this compatibility. My best
guess is
> that there may be an external ctypes package that people want(ed) to > keep compatible with 2.3, and also keep synchronized with 2.7. > > > That's correct and the maintainer is/was Thomas Heller who I have cc'ed > to see if he's okay with lifting the restriction.
For me it is totally ok to lift this restriction.
Great! I'll also update PEP 291.
Cool. While you're at it, the compatibility restriction for modulefinder could also be lifted.
Will do.
On Wed, 11 May 2016 at 09:28 Brett Cannon <brett@python.org> wrote:
On Wed, 11 May 2016 at 09:07 Thomas Heller <theller@ctypes.org> wrote:
Am 11.05.2016 um 18:04 schrieb Brett Cannon:
On Wed, 11 May 2016 at 04:35 Thomas Heller <theller@ctypes.org <mailto:theller@ctypes.org>> wrote:
Am 10.05.2016 um 19:39 schrieb Brett Cannon: > > > On Tue, 10 May 2016 at 01:18 Martin Panter <vadmium+py@gmail.com <mailto:vadmium%2Bpy@gmail.com> > <mailto:vadmium%2Bpy@gmail.com <mailto:vadmium%252Bpy@gmail.com
wrote: > > I am working on <https://bugs.python.org/issue22636>, to fix
shell
> injection problems with ctypes.util.find_library(). The proposal for > Python 3 is to change os.popen(shell-script) calls to use > subprocess.Popen(). > > However the Python 2.7 version of the module has a comment which says > “This file should be kept compatible with Python 2.3, see PEP 291.” > Looking at <https://www.python.org/dev/peps/pep-0291/>, it
is not
> clear why we have to maintain this compatibility. My best
guess is
> that there may be an external ctypes package that people want(ed) to > keep compatible with 2.3, and also keep synchronized with 2.7. > > > That's correct and the maintainer is/was Thomas Heller who I have cc'ed > to see if he's okay with lifting the restriction.
For me it is totally ok to lift this restriction.
Great! I'll also update PEP 291.
Cool. While you're at it, the compatibility restriction for modulefinder could also be lifted.
Will do.
PEP 291 no longer lists any restrictions on ctypes or modulefinder.
On 12 May 2016 at 01:05, Brett Cannon <brett@python.org> wrote:
On Wed, 11 May 2016 at 09:28 Brett Cannon <brett@python.org> wrote:
On Wed, 11 May 2016 at 09:07 Thomas Heller <theller@ctypes.org> wrote:
Am 11.05.2016 um 18:04 schrieb Brett Cannon:
On Wed, 11 May 2016 at 04:35 Thomas Heller <theller@ctypes.org <mailto:theller@ctypes.org>> wrote: For me it is totally ok to lift this restriction.
Great! I'll also update PEP 291.
Cool. While you're at it, the compatibility restriction for modulefinder could also be lifted.
Will do.
PEP 291 no longer lists any restrictions on ctypes or modulefinder.
Thanks everyone for your responses. I will look at removing the notices in the code when I get a chance. That would probably involve reverting https://hg.python.org/cpython/rev/381a72ab5fb8 And also the modulefinder.py comment There are also these commits that could be backported https://hg.python.org/cpython/rev/0980034adaa7 (ctypes) https://hg.python.org/cpython/diff/627db59031be/Lib/modulefinder.py but it might be safer just to leave the compatibility code there, perhaps with a clarifying comment.
participants (4)
-
Brett Cannon
-
Martin Panter
-
Meador Inge
-
Thomas Heller