pitrou
commented
6 years ago Python supports a mode where the interpreter ignores environment variables such as PYTHONPATH, etc.
However, there are places in the stdlib where environment-sensitive decisions are made, without regard for the ignore-environment flag.
Examples include:
- ssl.get_default_verify_paths() queries SSL_CERT_FILE and SSL_CERT_DIR
- shutil.which() queries PATH
- the tempfile module queries TMPDIR, TEMP, TMP to select the defaut directory for temporary files
Do you think those need to be sanitized?
tiran
benjaminp
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields: ```python assignee = None closed_at = None created_at =
labels = ['type-security', '3.8', '3.7', 'library']
title = 'Review usage of environment variables in the stdlib'
updated_at =
user = 'https://github.com/pitrou'
```
bugs.python.org fields:
```python
activity =
actor = 'benjamin.peterson'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation =
creator = 'pitrou'
dependencies = []
files = []
hgrepos = []
issue_num = 33019
keywords = []
message_count = 5.0
messages = ['313393', '313395', '313404', '313405', '313425']
nosy_count = 4.0
nosy_names = ['pitrou', 'christian.heimes', 'benjamin.peterson', 'alex']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue33019'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8']
```