Open pitrou opened 6 years ago
Python supports a mode where the interpreter ignores environment variables such as PYTHONPATH, etc.
However, there are places in the stdlib where environment-sensitive decisions are made, without regard for the ignore-environment flag.
Examples include:
Do you think those need to be sanitized?
External libraries like sqlite may also use env vars. I know for sure OpenSSL uses SSL_CERT_FILE and SSL_CERT_DIR to override default verify locations.
I don't think -E is a security feature. Even if the stdlib was fixed, there's tons of 3rdparty Python code that consumes os.environ.
It seems like if you really cared about not letting the environment influence a Python application, you'd just wrap python in a script that cleans out the environment before execing.
I may be mistaken, what's the use of -E if not for security?
It's useful if you want to hide the fact that a command is implemented in Python and don't want it to malfunction if the user has PYTHONPATH set for some reason.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields: ```python assignee = None closed_at = None created_at =
labels = ['type-security', '3.8', '3.7', 'library']
title = 'Review usage of environment variables in the stdlib'
updated_at =
user = 'https://github.com/pitrou'
```
bugs.python.org fields:
```python
activity =
actor = 'benjamin.peterson'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation =
creator = 'pitrou'
dependencies = []
files = []
hgrepos = []
issue_num = 33019
keywords = []
message_count = 5.0
messages = ['313393', '313395', '313404', '313405', '313425']
nosy_count = 4.0
nosy_names = ['pitrou', 'christian.heimes', 'benjamin.peterson', 'alex']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue33019'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8']
```