[Python-Dev] PEP 476: Enabling certificate validation by default!

M.-A. Lemburg mal at egenix.com
Mon Sep 8 10:09:26 CEST 2014

On 01.09.2014 10:09, Nick Coghlan wrote:
> On 1 September 2014 17:13, Christian Heimes <christian at python.org> wrote:
>> On 01.09.2014 08:44, Nick Coghlan wrote:
>>> Yes, it would have exactly the same security failure modes as
>>> sitecustomize, except it would only fire if the application
>>> imported the ssl module.
>>> The "-S" and "-I" switches would need to disable the implied
>>> "sslcustomize", just as they disable "import site".
>> A malicious package can already play havoc with your installation with
>> a custom ssl module. If somebody is able to sneak in a ssl.py then you
>> are screwed anyway. sslcustomize is not going to make the situation worse.
> That's not quite true - we're fairly careful about putting the
> standard library before userspace directories, so aside from the
> "current directory" problem, shadowing "ssl" itself can be tricky to
> arrange.

It's really easy to modify sys.modules to override any module
that has already been loaded or add new ones bypassing sys.path
entirely, so the sys.path layout doesn't provide any protection
against such hacks.

If you gain access to one of the dirs on sys.path, you can play
such tricks in sitecustomize.py. Any 3rd party package can do
the same.

We'd have to add digital API signatures to the ssl module to
prevent such stunts :-)

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Sep 08 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
2014-08-27: Released eGenix PyRun 2.0.1 ...       http://egenix.com/go62
2014-09-19: PyCon UK 2014, Coventry, UK ...                11 days to go
2014-09-27: PyDDF Sprint 2014 ...                          19 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-Dev mailing list