[Distutils] Malicious packages on PyPI
James Bennett
ubernostrum at gmail.com
Thu Jun 1 19:22:24 EDT 2017
A couple of pieces of prior art:
In Django, where we supply a command to let users create a new project or
application, we ask the user to supply a name. And then as a quick check
before proceeding, attempt to import the supplied name; if the import
succeeds, the startapp/startproject command bails out telling you not to
shadow an existing Python module.
Meanwhile, over in django-registration (a Django app for user-account
signups), there's a medium-sized list of "usernames" which are marked as
reserved by default, and validators which reject on them to avoid
registering some potentially-sensitive names. The list there is all manual,
and based on this original list:
https://ldpreload.com/blog/names-to-reserve
Plus some extra stuff that isn't sensitive as a subdomain/mailbox name but
might still be a problem (i.e., if you give users account-profile URLs like
/users/<username>, you probably don't want someone coming in as
/users/signup).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/11aa6adf/attachment.html>
More information about the Distutils-SIG
mailing list