[New-bugs-announce] [issue45131] `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
report at bugs.python.org
Tue Sep 7 14:15:21 EDT 2021
New submission from Sean Kelly <kelly at seankelly.biz>:
Creating a new virtual environment with the `venv` module reads any local `setup.cfg` file that may be found; if such a file has garbage, the `venv` fails with a mysterious message.
$ date -u
Tue Sep 7 18:12:27 UTC 2021
$ mkdir /tmp/demo
$ cd /tmp/demo
$ echo 'a < b' >setup.cfg
$ python3 -V
$ python3 -m venv venv
Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
(Took me a little while to figure out I had some garbage in a `setup.cfg` file in $CWD that was causing it.)
Potential implications are that a specially crafted `setup.cfg` might cause a security-compromised virtual environment to be created maybe? I don't know.
title: `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
versions: Python 3.9
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce