Le 01/09/2014 10:09, Nick Coghlan a écrit : > On 1 September 2014 17:13, Christian Heimes <christian at python.org> wrote: >> On 01.09.2014 08:44, Nick Coghlan wrote: >>> Yes, it would have exactly the same security failure modes as >>> sitecustomize, except it would only fire if the application >>> imported the ssl module. >>> >>> The "-S" and "-I" switches would need to disable the implied >>> "sslcustomize", just as they disable "import site". >> >> A malicious package can already play havoc with your installation with >> a custom ssl module. If somebody is able to sneak in a ssl.py then you >> are screwed anyway. sslcustomize is not going to make the situation worse. > > That's not quite true - we're fairly careful about putting the > standard library before userspace directories, so aside from the > "current directory" problem, shadowing "ssl" itself can be tricky to > arrange. Not sure why. Just put another module named "ssl" in sys.modules directly. You can also monkeypatch the genuine ssl module. Regards Antoine.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4