GNU bug report logs - #70440
[PATCH] Use -P switch when calling 'python-interpreter'

Previous Next

Full log

Message #32 received at 70440 <at> debbugs.gnu.org (full text, mbox):

From: Augusto Stoffel <arstoffel <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 70440 <at> debbugs.gnu.org, kobarity <at> gmail.com
Subject: Re: bug#70440: [PATCH] Use -P switch when calling 'python-interpreter'
Date: Fri, 19 Apr 2024 17:21:48 +0200

On Fri, 19 Apr 2024 at 10:15, Eli Zaretskii wrote:

>> From: Augusto Stoffel <arstoffel <at> gmail.com>
>> Cc: Eli Zaretskii <eliz <at> gnu.org>,  70440 <at> debbugs.gnu.org
>> Date: Fri, 19 Apr 2024 08:08:43 +0200
>> 
>> On Fri, 19 Apr 2024 at 00:25, kobarity wrote:
>> 
>> > The -P switch is new, introduced in CPython 3.11, so I don't think it
>> > can be added unconditionally.  Furthermore, `python-interpreter' may
>> > not be CPython.  Isn't it enough to customize
>> > `python-interpreter-args'?
>> 
>> After sleeping on this, I recommend using -P anyway and simply failing
>> if the installed Python is too old.
>> 
>> The reason is that this has a security implication, similar to the
>> recent Org mode Latex preview situation.  Without -P the user is tacitly
>> trusting the contents of the current directory.  By tricking an user
>> into downloading a malicious file with an intentional name clash (say
>> via git pull), arbitrary code could in principle be executed on the
>> user's machine.
>> 
>> The -P switch completely removes this possibility, and conversely,
>> without -P there seems to be no reasonable way to make Python safe.
>> 
>> I've attached a new patch that informs the user why the commands failed
>> when Python is too old, which is good enough in my opinion.  Note also
>> that this change only affects the Python import management commands,
>> which is a very handy but by no means essential feature.
>
> Doing it this way would be an annoyance.  Users could have
> less-than-the-latest Python (or non-CPython version) installed for any
> number of reasons, and it is not our business to annoy them because of
> this.  Security of using Python is not our concern, it is the user's
> concern.
>
> So I'd prefer that the change probed the support for the -P switch
> when the relevant Emacs commands/functions are first invoked, and used
> that if -P is supported, without any annoying messages.  Do you see
> any problems with such an approach?
>
> Thanks.

Okay, you are the maintainer, but I hope I explained well that this is a
security hole.

(Apart from the security aspect, without -P the tool will just
mysteriously stop working if a file with a name such as csv.py is added
to the project; that's what happened to me.  Perhaps outright not
working and explaining why is not as bad as working fine until it
doesn't anymore.)

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.