[New-bugs-announce] [issue45131] `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
Sean Kelly
report at bugs.python.org
Tue Sep 7 14:15:21 EDT 2021
New submission from Sean Kelly <kelly at seankelly.biz>:
Creating a new virtual environment with the `venv` module reads any local `setup.cfg` file that may be found; if such a file has garbage, the `venv` fails with a mysterious message.
Reproduce:
```
$ date -u
Tue Sep 7 18:12:27 UTC 2021
$ mkdir /tmp/demo
$ cd /tmp/demo
$ echo 'a < b' >setup.cfg
$ python3 -V
Python 3.9.5
$ python3 -m venv venv
Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
```
(Took me a little while to figure out I had some garbage in a `setup.cfg` file in $CWD that was causing it.)
Implications:
Potential implications are that a specially crafted `setup.cfg` might cause a security-compromised virtual environment to be created maybe? I don't know.
----------
messages: 401320
nosy: nutjob4life
priority: normal
severity: normal
status: open
title: `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
type: behavior
versions: Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue45131>
_______________________________________
More information about the New-bugs-announce
mailing list