[New-bugs-announce] [issue28896] Embeddable zip allows Windows registry to override module location
Alexey Izbyshev
report at bugs.python.org
Wed Dec 7 11:38:28 EST 2016
New submission from Alexey Izbyshev:
The docs claim: "... the embedded distribution is (almost) fully isolated from the user’s system, including environment variables, system registry settings, and installed packages."
Via ProcessMonitor tool I've discovered that python.exe still accesses keys like "HKLM\Software\Python\PythonCore\3.5\Modules\collections" on every module import, allowing registry settings to override the location of any non-builtin module.
Digging into the 3.5.2 code revealed that WindowsRegistryFinder is unconditionally added to sys.meta_path (Lib/importlib/_bootstrap_external.py, line 1422):
if _os.__name__ == 'nt':
sys.meta_path.append(WindowsRegistryFinder)
It can also be confirmed in runtime:
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 25 2016, 22:18:55) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> print(sys.meta_path)
[<class '_frozen_importlib.BuiltinImporter'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external.PathFinder'>]
Is this behavior intended? It seems to be against doc claims and the goal of embeddability.
----------
components: Windows
messages: 282632
nosy: izbyshev, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: Embeddable zip allows Windows registry to override module location
type: behavior
versions: Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28896>
_______________________________________
More information about the New-bugs-announce
mailing list