[Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan ncoghlan at gmail.com
Mon Sep 1 17:35:05 CEST 2014

On 2 Sep 2014 00:59, "Antoine Pitrou" <solipsis at pitrou.net> wrote:
> On Tue, 2 Sep 2014 00:53:11 +1000
> Nick Coghlan <ncoghlan at gmail.com> wrote:
> > >
> > > To be frank I don't understand what you're arguing about.
> >
> > When I said "shadowing ssl can be tricky to arrange", Chris correctly
> > interpreted it as referring to the filesystem based privilege escalation
> > scenario that isolated mode handles, not to normal in-process
> > monkeypatching or module injection.
> There's no actual difference. You can have a sitecustomize.py that does
> the monkeypatching or the shadowing. There doesn't seem to be anything
> "tricky" about that.

Oh, now I get what you mean - yes, sitecustomize already poses the same
kind of problem as the proposed sslcustomize (hence the existence of the
related command line options).

I missed that you had switched to talking about using that attack vector,
rather than trying to shadow stdlib modules directly through the filesystem
(which is the only tricky thing I was referring to).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140902/0fa901b4/attachment.html>

More information about the Python-Dev mailing list