[Python-Dev] PYTHONHTTPSVERIFY env var
M.-A. Lemburg
mal at egenix.com
Mon May 11 10:04:25 CEST 2015
On 10.05.2015 05:04, Robert Collins wrote:
> On 10 May 2015 at 11:44, Chris Angelico <rosuav at gmail.com> wrote:
>> On Sun, May 10, 2015 at 4:13 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> By providing a way to intentionally switch off the new default,
>>> we do make people aware of the risks and that's good enough,
>>> while still maintaining the contract people rightly expect of
>>> patch level releases of Python.
>>
>> Just as long as it's the sysadmin, and NOT some random attacker over
>> the internet, who has the power to downgrade security. Environment
>> variables can be attacked in various ways.
>
> They can, and the bash fun was very good evidence of that.
>
> OTOH if someones environment is at risk, PATH and PYTHONPATH are
> already very effective attack vectors.
If an attacker has access to the process environment, you're doomed
anyway, so that's not really an argument for or against using
environment variables :-)
You'd just need to create a file os.py and point PYTHONPATH at it.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, May 11 2015)
>>> Python Projects, Coaching and Consulting ... http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-Dev
mailing list