GNU bug report logs - #70440
[PATCH] Use -P switch when calling 'python-interpreter'

Previous Next

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Augusto Stoffel <arstoffel <at> gmail.com>
Cc: 70440 <at> debbugs.gnu.org, kobarity <at> gmail.com
Subject: bug#70440: [PATCH] Use -P switch when calling 'python-interpreter'
Date: Fri, 19 Apr 2024 18:40:49 +0300

> From: Augusto Stoffel <arstoffel <at> gmail.com>
> Cc: kobarity <at> gmail.com,  70440 <at> debbugs.gnu.org
> Date: Fri, 19 Apr 2024 17:21:48 +0200
> 
> On Fri, 19 Apr 2024 at 10:15, Eli Zaretskii wrote:
> 
> >> From: Augusto Stoffel <arstoffel <at> gmail.com>
> >> Cc: Eli Zaretskii <eliz <at> gnu.org>,  70440 <at> debbugs.gnu.org
> >> Date: Fri, 19 Apr 2024 08:08:43 +0200
> >> 
> >> On Fri, 19 Apr 2024 at 00:25, kobarity wrote:
> >> 
> >> > The -P switch is new, introduced in CPython 3.11, so I don't think it
> >> > can be added unconditionally.  Furthermore, `python-interpreter' may
> >> > not be CPython.  Isn't it enough to customize
> >> > `python-interpreter-args'?
> >> 
> >> After sleeping on this, I recommend using -P anyway and simply failing
> >> if the installed Python is too old.
> >> 
> >> The reason is that this has a security implication, similar to the
> >> recent Org mode Latex preview situation.  Without -P the user is tacitly
> >> trusting the contents of the current directory.  By tricking an user
> >> into downloading a malicious file with an intentional name clash (say
> >> via git pull), arbitrary code could in principle be executed on the
> >> user's machine.
> >> 
> >> The -P switch completely removes this possibility, and conversely,
> >> without -P there seems to be no reasonable way to make Python safe.
> >> 
> >> I've attached a new patch that informs the user why the commands failed
> >> when Python is too old, which is good enough in my opinion.  Note also
> >> that this change only affects the Python import management commands,
> >> which is a very handy but by no means essential feature.
> >
> > Doing it this way would be an annoyance.  Users could have
> > less-than-the-latest Python (or non-CPython version) installed for any
> > number of reasons, and it is not our business to annoy them because of
> > this.  Security of using Python is not our concern, it is the user's
> > concern.
> >
> > So I'd prefer that the change probed the support for the -P switch
> > when the relevant Emacs commands/functions are first invoked, and used
> > that if -P is supported, without any annoying messages.  Do you see
> > any problems with such an approach?
> >
> > Thanks.
> 
> Okay, you are the maintainer, but I hope I explained well that this is a
> security hole.

I'm not sure I understand: if the user doesn't have a version of
Python which supports this option, what else can we do?  Refuse to
use such a Python?  That doesn't seem to be an option we can use.

Yes, this is a security hole, but it's the user's security hole, not
ours, if the user doesn't install the safer Python.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.