[Python-Dev] PEP 476: Enabling certificate validation by default!
antoine at python.org
Mon Sep 1 14:41:56 CEST 2014
Le 01/09/2014 10:09, Nick Coghlan a écrit :
> On 1 September 2014 17:13, Christian Heimes <christian at python.org> wrote:
>> On 01.09.2014 08:44, Nick Coghlan wrote:
>>> Yes, it would have exactly the same security failure modes as
>>> sitecustomize, except it would only fire if the application
>>> imported the ssl module.
>>> The "-S" and "-I" switches would need to disable the implied
>>> "sslcustomize", just as they disable "import site".
>> A malicious package can already play havoc with your installation with
>> a custom ssl module. If somebody is able to sneak in a ssl.py then you
>> are screwed anyway. sslcustomize is not going to make the situation worse.
> That's not quite true - we're fairly careful about putting the
> standard library before userspace directories, so aside from the
> "current directory" problem, shadowing "ssl" itself can be tricky to
Not sure why. Just put another module named "ssl" in sys.modules directly.
You can also monkeypatch the genuine ssl module.
More information about the Python-Dev