[Python-Dev] PEP 476: Enabling certificate validation by default!
Antoine Pitrou
solipsis at pitrou.net
Mon Sep 1 15:59:35 CEST 2014
On Mon, 1 Sep 2014 23:42:10 +1000
Chris Angelico <rosuav at gmail.com> wrote:
> On Mon, Sep 1, 2014 at 11:34 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> > On Mon, 1 Sep 2014 23:24:39 +1000
> > Chris Angelico <rosuav at gmail.com> wrote:
> >> On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou <antoine at python.org> wrote:
> >> > Not sure why. Just put another module named "ssl" in sys.modules directly.
> >> > You can also monkeypatch the genuine ssl module.
> >>
> >> That has to be done inside the same process. But imagine this
> >> scenario: You have a program that gets invoked as root (or some other
> >> user than yourself), and you're trying to fiddle with what it sees.
> >> You don't have root access, but you can manipulate the file system, to
> >> the extent that your userid has access. What can you do to affect this
> >> other program?
> >
> > If you're root you shouldn't run untrusted code. See
> > https://docs.python.org/3/using/cmdline.html#cmdoption-I
>
> Right, which is why sslcustomize has to be controlled by that, but the
> possibility of patching (or monkeypatching) ssl.py isn't as big a
> deal.
To be frank I don't understand what you're arguing about.
More information about the Python-Dev
mailing list