[Python-Dev] Safely importing zip files with C extensions
Thomas Heller
theller at ctypes.org
Fri Mar 29 13:00:29 CET 2013
Am 29.03.2013 02:06, schrieb Gregory P. Smith:
>
> On Thu, Mar 28, 2013 at 9:09 AM, Brett Cannon <brett at python.org
> <mailto:brett at python.org>> wrote:
>
> On Thu, Mar 28, 2013 at 10:44 AM, Thomas Heller <theller at ctypes.org
> <mailto:theller at ctypes.org>> wrote:
>
> The zip-file itself could support importing compiled extensions
> when it contains a python-wrapper module that unpacks the
> .so/.dll file somewhere, and finally calls imp.load_dynamic() to
> import it and replace itself.
>
>
> Which must be done carefully to prevent a security issue. It
> shouldn't be unzipped anywhere but into a directory only writable by
> the process.
>
>
> Once http://sourceware.org/bugzilla/show_bug.cgi?id=11767 is implemented
> and available in libc, no extraction of .so's should be needed (they
> will likely need to be stored uncompressed in the .zip file for that
> though).
For windows there is already code that does it:
http://www.py2exe.org/index.cgi/Hacks/ZipExtImporter
This page is not up-to-date, but it describes the idea and the
implementation. The code currently is 32-bit only and for Python 2
but that probably can be fixed.
It is based on Joachim Bauch's MemoryModule:
https://github.com/fancycode/MemoryModule
Thomas
More information about the Python-Dev
mailing list