[Python-Dev] Safely importing zip files with C extensions

Thomas Heller theller at ctypes.org
Fri Mar 29 13:00:29 CET 2013

Am 29.03.2013 02:06, schrieb Gregory P. Smith:
> On Thu, Mar 28, 2013 at 9:09 AM, Brett Cannon <brett at python.org
> <mailto:brett at python.org>> wrote:
>     On Thu, Mar 28, 2013 at 10:44 AM, Thomas Heller <theller at ctypes.org
>     <mailto:theller at ctypes.org>> wrote:
>         The zip-file itself could support importing compiled extensions
>         when it contains a python-wrapper module that unpacks the
>         .so/.dll file somewhere, and finally calls imp.load_dynamic() to
>         import it and replace itself.
>     Which must be done carefully to prevent a security issue. It
>     shouldn't be unzipped anywhere but into a directory only writable by
>     the process.
> Once http://sourceware.org/bugzilla/show_bug.cgi?id=11767 is implemented
> and available in libc, no extraction of .so's should be needed (they
> will likely need to be stored uncompressed in the .zip file for that
> though).

For windows there is already code that does it:


This page is not up-to-date, but it describes the idea and the
implementation.  The code currently is 32-bit only and for Python 2
but that probably can be fixed.

It is based on Joachim Bauch's MemoryModule:


More information about the Python-Dev mailing list