[Python-Dev] Safely importing zip files with C extensions
Gregory P. Smith
greg at krypto.org
Fri Mar 29 02:06:35 CET 2013
On Thu, Mar 28, 2013 at 9:09 AM, Brett Cannon <brett at python.org> wrote:
>
>
>
> On Thu, Mar 28, 2013 at 10:44 AM, Thomas Heller <theller at ctypes.org>wrote:
>
>> Am 27.03.2013 20:38, schrieb Vinay Sajip:
>>
>> This quote is here to stop GMane complaining that I'm top-posting.
>>>> Ignore.
>>>>
>>>
>>> I've already posted this to distutils-sig, but thought that it might be
>>> of
>>> interest to readers here as it relates to importing C extensions ...
>>>
>>> zipimport is great, but there can be issues importing software that
>>> contains
>>> C extensions. But the new wheel format (PEP 427) may give us a better
>>> way of
>>> importing zip files containing C extensions. Since wheels are .zip
>>> files, they
>>> can sometimes be used to provide functionality without needing to be
>>> installed.
>>> But whereas .zip files contain no convention for indicating
>>> compatibility with
>>> a particular Python, wheels do contain this compatibility information.
>>> Thus, it
>>> is possible to check if a wheel can be directly imported from, and the
>>> wheel
>>> support in distlib allows you to take advantage of this using the
>>> mount() and
>>> unmount() methods. When you mount a wheel, its absolute path name is
>>> added to
>>> sys.path, allowing the Python code in it to be imported. (A
>>> DistlibException is
>>> raised if the wheel isn't compatible with the Python which calls the
>>> mount()
>>> method.)
>>>
>>
>> The zip-file itself could support importing compiled extensions when it
>> contains a python-wrapper module that unpacks the .so/.dll file somewhere,
>> and finally calls imp.load_dynamic() to import it and replace itself.
>
>
> Which must be done carefully to prevent a security issue. It shouldn't be
> unzipped anywhere but into a directory only writable by the process.
>
>
Once http://sourceware.org/bugzilla/show_bug.cgi?id=11767 is implemented
and available in libc, no extraction of .so's should be needed (they will
likely need to be stored uncompressed in the .zip file for that though).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130328/1d252a7d/attachment.html>
More information about the Python-Dev
mailing list