Message 374024 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	larry
Recipients	Tibor Csonka, anthonywee, eryksun, larry, lukasz.langa, miss-islington, ned.deily, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date	2020年07月20日.20:18:21
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1595276302.55.0.713676350952.issue29778@roundup.psfhosted.org>

Content
I still don't understand why this is considered a Python security problem. If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an arbitrary executable at that same spot and launch it directly. And that seems way more straightforward. Why would anyone bother with this?

Content

I still don't understand why this is considered a Python security problem. If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an arbitrary executable at that same spot and launch it directly. And that seems way more straightforward. Why would anyone bother with this?

History
Date	User	Action	Args
2020年07月20日 20:18:22	larry	set	recipients: + larry, paul.moore, vstinner, tim.golden, ned.deily, lukasz.langa, zach.ware, eryksun, steve.dower, Tibor Csonka, miss-islington, anthonywee
2020年07月20日 20:18:22	larry	set	messageid: <1595276302.55.0.713676350952.issue29778@roundup.psfhosted.org>
2020年07月20日 20:18:22	larry	link	issue29778 messages
2020年07月20日 20:18:21	larry	create

homepage