On 1 September 2014 16:07, Paul Moore <p.f.moore at gmail.com> wrote: > On 31 August 2014 23:10, Nick Coghlan <ncoghlan at gmail.com> wrote: >> Assuming sslcustomize was in site-packages rather than the standard library >> directories, you would also be able to use virtual environments with an >> appropriate sslcustomize module to disable cert checking even if the >> application you were running didn't support direct configuration. > > Would this mean that a malicious package could install a custom > sslcustomize.py and so add unwanted certs to the system? I guess we > have to assume that installed packages are trusted, but I just wanted > to be explicit. Yes, it would have exactly the same security failure modes as sitecustomize, except it would only fire if the application imported the ssl module. The "-S" and "-I" switches would need to disable the implied "sslcustomize", just as they disable "import site". Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4