[New-bugs-announce] [issue45131] `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously

Sean Kelly report at bugs.python.org
Tue Sep 7 14:15:21 EDT 2021

New submission from Sean Kelly <kelly at seankelly.biz>:

Creating a new virtual environment with the `venv` module reads any local `setup.cfg` file that may be found; if such a file has garbage, the `venv` fails with a mysterious message. 


$ date -u
Tue Sep  7 18:12:27 UTC 2021
$ mkdir /tmp/demo
$ cd /tmp/demo
$ echo 'a < b' >setup.cfg
$ python3 -V
Python 3.9.5
$ python3 -m venv venv
Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.

(Took me a little while to figure out I had some garbage in a `setup.cfg` file in $CWD that was causing it.)


Potential implications are that a specially crafted `setup.cfg` might cause a security-compromised virtual environment to be created maybe? I don't know.

messages: 401320
nosy: nutjob4life
priority: normal
severity: normal
status: open
title: `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
type: behavior
versions: Python 3.9

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list