virtualpython / workingenv / virtualenv ... shouldn't this be part of python

Christian Heimes lists at cheimes.de
Fri Jan 11 21:55:24 CET 2008


Goldfish wrote:
> What about security holes, like a malicious version of socket getting
> downloaded into a user's directory, and overriding the default, safe
> version? Don't forget that in your PEP.

A malicious piece of software has already hundreds of way to overwrite
modules. It could add a python executable to ~/bin and add ~/bin to
PATH. it could modify .bashrc and add PYTHONPATH. Or it could drop some
site.py and sitecustomize.py files in various directories.

If you allow malicious or potential harmful software to write in your
home directory you are lost. The new feature doesn't add new attack
vectors.

Christian




More information about the Python-list mailing list