[issue41944] [security] Python testsuite calls eval() on content received via HTTP
Florian Bruhin
report at bugs.python.org
Tue Oct 6 05:42:03 EDT 2020
Florian Bruhin <python.org at the-compiler.org> added the comment:
That assumption is false. For starters, distribution packagers do:
https://github.com/archlinux/svntogit-packages/blob/3fc85177e35d1ff9ab000950c5d1af9567730434/trunk/PKGBUILD#L72-L84
https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168
When I build a Python from source (via an Arch User Repository package), I do as well, and so does anyone installing those packages by default.
Anyone building with --enable-optimizations (PGO) will likely do so as well, though I'm not sure if that runs this part of the testsuite.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41944>
_______________________________________
More information about the Python-bugs-list
mailing list