[Python-ideas] Remote package/module imports through HTTP/S

John Torakis john.torakis at gmail.com
Wed Aug 23 13:49:12 EDT 2017


Bounced back on list



-------- Forwarded Message --------
Θέμα: 	Re: [Python-ideas] Remote package/module imports through HTTP/S
Ημερομηνία: 	Wed, 23 Aug 2017 20:36:19 +0300
Από: 	John Torakis <john.torakis at gmail.com>
Προς: 	Chris Angelico <rosuav at gmail.com>



Yeah, I am a security researcher, I am keen on backdoor programming and
staging and all that! It is my official job and research topic! I go to
the office and code such stuff! I am not a blackhat, nor a security
enthusiast, it is my job.


First of all, let's all agree that if someone can run Python code in
your computer you are 100% hacked! It is irrelevant if "httpimport" is a
core python feature or not in that case.

Now, I agree that this can be exploited if used under plain HTTP, it is
a MiTM -> Remote code execution case. I admit that this is not bright.
But I mention that this can be used in testing.

On the topic of HTTPS, man-in-the-middle is not possible without
previous Trusted Certificate compromise. Github can be trusted 100%
percent for example. A certificate check has to take place in the HTTPS
remote loading for sure!

When I said a "core feature" I meant that the "httpimport" module would
deliver with the core modules. Not that the Finder/Loader has to be in
the list of Finders/Loaders that are used by default! For god sake, I
wouldn't like my PC to start probing for modules just because I mistyped
an import line!

I know that pip works nicely, especially when paired with virtual
environments, but ad-hoc importing is another another thing. It isn't
meant for delivering real projects. Just for testing modules without the
need to download them, maybe install them, and all.


Thank you for your time,
John Torakis


On 23/08/2017 20:17, Chris Angelico wrote:
> On Thu, Aug 24, 2017 at 2:55 AM, John Torakis <john.torakis at gmail.com> wrote:
>> Hello all!
>>
>> Today I opened an issue in bugs.python.org
>> (http://bugs.python.org/issue31264) proposing a module I created for
>> remote package/module imports through standard HTTP/S.
>>
>> The concept is that, if a directory is served through HTTP/S (the way
>> SimpleHTTPServer module serves directories), a Finder/Loader object can
>> fetch Python files from that directory using HTTP requests, and finally
>> load them as modules (or packages) in the running namespace.
>>
>> The repo containing a primitive (but working) version of the
>> Finder/Loader, also contains self explanatory examples (in the README.md):
>>
>> https://github.com/operatorequals/httpimport
>>
>>
>> My proposal is that this module can become a core Python feature,
>> providing a way to load modules even from Github.com repositories,
>> without the need to "git clone - setup.py install" them.
>>
>>
>> Other languages, like golang, provide this functionality from their
>> early days (day one?). Python development can be greatly improved if a
>> "try before pip installing" mechanism gets in place, as it will add a
>> lot to the REPL nature of the testing/experimenting process.
> As a core feature? No no no no no no no no. Absolutely do NOT WANT
> THIS. This is a security bug magnet; can you imagine trying to ensure
> that malicious code is not executed, in an arbitrary execution
> context? As an explicitly-enabled feature, it's a lot less hairy than
> a permanently-active one (can you IMAGINE how terrifying that would
> be?), but even so, trying to prove that addRemoteRepo (not a
> PEP8-compliant name, btw) is getting the correct code is not going to
> be easy. You have to (a) drop HTTP altogether and mandate SSL and (b)
> be absolutely sure that your certificate chains are 100% dependable,
> which - as we've seen recently - is a nontrivial task.
>
> The easiest way to add remote code is pip. For most packages, that's
> what you want to be using:
>
> pip install requests
>
> will make "import requests" functional. I don't see pip mentioned
> anywhere in your README, but you do mention the testing of pull
> requests, so at very least, this wants some explanatory screed.
>
> But I'm not entirely sure I want to support this. You're explicitly
> talking about using this with the creation of backdoors... in what,
> exactly? What are you actually getting at here?
>
> ChrisA
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170823/1fc2dff0/attachment.html>


More information about the Python-ideas mailing list