GNU bug report logs - #70440
[PATCH] Use -P switch when calling 'python-interpreter'

Previous Next

Package: emacs;

Reported by: Augusto Stoffel <arstoffel <at> gmail.com>

Date: Wed, 17 Apr 2024 18:24:04 UTC

Severity: normal

Tags: patch

Full log

Message #35 received at 70440 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Augusto Stoffel <arstoffel <at> gmail.com>
Cc: 70440 <at> debbugs.gnu.org, kobarity <at> gmail.com
Subject: Re: bug#70440: [PATCH] Use -P switch when calling 'python-interpreter'
Date: Fri, 19 Apr 2024 18:40:49 +0300

> From: Augusto Stoffel <arstoffel <at> gmail.com>
> Cc: kobarity <at> gmail.com,  70440 <at> debbugs.gnu.org
> Date: Fri, 19 Apr 2024 17:21:48 +0200
> 
> On Fri, 19 Apr 2024 at 10:15, Eli Zaretskii wrote:
> 
> >> From: Augusto Stoffel <arstoffel <at> gmail.com>
> >> Cc: Eli Zaretskii <eliz <at> gnu.org>,  70440 <at> debbugs.gnu.org
> >> Date: Fri, 19 Apr 2024 08:08:43 +0200
> >> 
> >> On Fri, 19 Apr 2024 at 00:25, kobarity wrote:
> >> 
> >> > The -P switch is new, introduced in CPython 3.11, so I don't think it
> >> > can be added unconditionally.  Furthermore, `python-interpreter' may
> >> > not be CPython.  Isn't it enough to customize
> >> > `python-interpreter-args'?
> >> 
> >> After sleeping on this, I recommend using -P anyway and simply failing
> >> if the installed Python is too old.
> >> 
> >> The reason is that this has a security implication, similar to the
> >> recent Org mode Latex preview situation.  Without -P the user is tacitly
> >> trusting the contents of the current directory.  By tricking an user
> >> into downloading a malicious file with an intentional name clash (say
> >> via git pull), arbitrary code could in principle be executed on the
> >> user's machine.
> >> 
> >> The -P switch completely removes this possibility, and conversely,
> >> without -P there seems to be no reasonable way to make Python safe.
> >> 
> >> I've attached a new patch that informs the user why the commands failed
> >> when Python is too old, which is good enough in my opinion.  Note also
> >> that this change only affects the Python import management commands,
> >> which is a very handy but by no means essential feature.
> >
> > Doing it this way would be an annoyance.  Users could have
> > less-than-the-latest Python (or non-CPython version) installed for any
> > number of reasons, and it is not our business to annoy them because of
> > this.  Security of using Python is not our concern, it is the user's
> > concern.
> >
> > So I'd prefer that the change probed the support for the -P switch
> > when the relevant Emacs commands/functions are first invoked, and used
> > that if -P is supported, without any annoying messages.  Do you see
> > any problems with such an approach?
> >
> > Thanks.
> 
> Okay, you are the maintainer, but I hope I explained well that this is a
> security hole.

I'm not sure I understand: if the user doesn't have a version of
Python which supports this option, what else can we do?  Refuse to
use such a Python?  That doesn't seem to be an option we can use.

Yes, this is a security hole, but it's the user's security hole, not
ours, if the user doesn't install the safer Python.
This bug report was last modified 1 year and 59 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.