[Python-Dev] PEP 476: Enabling certificate validation by default!
donald at stufft.io
Mon Sep 1 18:48:23 CEST 2014
> On Sep 1, 2014, at 11:35 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 2 Sep 2014 00:59, "Antoine Pitrou" <solipsis at pitrou.net <mailto:solipsis at pitrou.net>> wrote:
> > On Tue, 2 Sep 2014 00:53:11 +1000
> > Nick Coghlan <ncoghlan at gmail.com <mailto:ncoghlan at gmail.com>> wrote:
> > > >
> > > > To be frank I don't understand what you're arguing about.
> > >
> > > When I said "shadowing ssl can be tricky to arrange", Chris correctly
> > > interpreted it as referring to the filesystem based privilege escalation
> > > scenario that isolated mode handles, not to normal in-process
> > > monkeypatching or module injection.
> > There's no actual difference. You can have a sitecustomize.py that does
> > the monkeypatching or the shadowing. There doesn't seem to be anything
> > "tricky" about that.
> Oh, now I get what you mean - yes, sitecustomize already poses the same kind of problem as the proposed sslcustomize (hence the existence of the related command line options).
> I missed that you had switched to talking about using that attack vector, rather than trying to shadow stdlib modules directly through the filesystem (which is the only tricky thing I was referring to).
> Python-Dev mailing list
> Python-Dev at python.org
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
Or you can just install something with easy_install, or you can drop a .pth file and monkey patch there. You can’t stop people from overriding modules, it’s trivial to do. The sys.path ordering just makes it slightly less trivial.
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev