* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' @ 2024-04-17 18:23 Augusto Stoffel 2024-04-17 19:13 ` Eli Zaretskii 0 siblings, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-17 18:23 UTC (permalink / raw) To: 70440 [-- Attachment #1: Type: text/plain, Size: 80 bytes --] Tags: patch The attachment should be self-explanatory, otherwise let me know. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-Use-P-switch-when-calling-python-interpreter.patch --] [-- Type: text/patch, Size: 2551 bytes --] From 04db8a3fbb29f497fdc728f4413aea162650b30b Mon Sep 17 00:00:00 2001 From: Augusto Stoffel <arstoffel@gmail.com> Date: Wed, 17 Apr 2024 20:17:22 +0200 Subject: [PATCH] Use -P switch when calling 'python-interpreter' This excludes the current directory from Python's module load path, which can be unsafe. * lisp/progmodes/python.el (python--list-imports): Use -P switch (python--do-isort): Use -P switch (python-fix-imports): Use -P switch --- lisp/progmodes/python.el | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el index 85279d3e84b..180a8357aad 100644 --- a/lisp/progmodes/python.el +++ b/lisp/progmodes/python.el @@ -6805,7 +6805,7 @@ python--list-imports (append (split-string-shell-command python-interpreter-args) - `("-c" ,python--list-imports) + `("-Pc" ,python--list-imports) (list (or name ""))))) (with-current-buffer buffer (apply #'call-process @@ -6814,7 +6814,7 @@ python--list-imports (append (split-string-shell-command python-interpreter-args) - `("-c" ,python--list-imports) + `("-Pc" ,python--list-imports) (list (or name "")) (mapcar #'file-local-name source)))))) lines) @@ -6862,7 +6862,7 @@ python--do-isort (append (split-string-shell-command python-interpreter-args) - '("-m" "isort" "-") + '("-Pm" "isort" "-") args))) (tick (buffer-chars-modified-tick))) (unless (eq 0 status) @@ -6940,7 +6940,7 @@ python-fix-imports (append (split-string-shell-command python-interpreter-args) - '("-m" "pyflakes")))) + '("-Pm" "pyflakes")))) (goto-char (point-min)) (when (looking-at-p ".* No module named pyflakes$") (error "%s couldn't find pyflakes" python-interpreter)) -- 2.44.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-17 18:23 bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' Augusto Stoffel @ 2024-04-17 19:13 ` Eli Zaretskii 2024-04-18 15:25 ` kobarity 0 siblings, 1 reply; 17+ messages in thread From: Eli Zaretskii @ 2024-04-17 19:13 UTC (permalink / raw) To: Augusto Stoffel, kobarity; +Cc: 70440 > From: Augusto Stoffel <arstoffel@gmail.com> > Date: Wed, 17 Apr 2024 20:23:30 +0200 > > The attachment should be self-explanatory, otherwise let me know. > > > >From 04db8a3fbb29f497fdc728f4413aea162650b30b Mon Sep 17 00:00:00 2001 > From: Augusto Stoffel <arstoffel@gmail.com> > Date: Wed, 17 Apr 2024 20:17:22 +0200 > Subject: [PATCH] Use -P switch when calling 'python-interpreter' > > This excludes the current directory from Python's module load path, > which can be unsafe. > > * lisp/progmodes/python.el (python--list-imports): Use -P switch > (python--do-isort): Use -P switch > (python-fix-imports): Use -P switch > --- > lisp/progmodes/python.el | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el > index 85279d3e84b..180a8357aad 100644 > --- a/lisp/progmodes/python.el > +++ b/lisp/progmodes/python.el > @@ -6805,7 +6805,7 @@ python--list-imports > (append > (split-string-shell-command > python-interpreter-args) > - `("-c" ,python--list-imports) > + `("-Pc" ,python--list-imports) > (list (or name ""))))) > (with-current-buffer buffer > (apply #'call-process > @@ -6814,7 +6814,7 @@ python--list-imports > (append > (split-string-shell-command > python-interpreter-args) > - `("-c" ,python--list-imports) > + `("-Pc" ,python--list-imports) > (list (or name "")) > (mapcar #'file-local-name source)))))) > lines) > @@ -6862,7 +6862,7 @@ python--do-isort > (append > (split-string-shell-command > python-interpreter-args) > - '("-m" "isort" "-") > + '("-Pm" "isort" "-") > args))) > (tick (buffer-chars-modified-tick))) > (unless (eq 0 status) > @@ -6940,7 +6940,7 @@ python-fix-imports > (append > (split-string-shell-command > python-interpreter-args) > - '("-m" "pyflakes")))) > + '("-Pm" "pyflakes")))) > (goto-char (point-min)) > (when (looking-at-p ".* No module named pyflakes$") > (error "%s couldn't find pyflakes" python-interpreter)) > -- > 2.44.0 > Thanks. kobarity, any comments? ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-17 19:13 ` Eli Zaretskii @ 2024-04-18 15:25 ` kobarity 2024-04-18 15:52 ` Augusto Stoffel 2024-04-19 6:08 ` Augusto Stoffel 0 siblings, 2 replies; 17+ messages in thread From: kobarity @ 2024-04-18 15:25 UTC (permalink / raw) To: Augusto Stoffel, Eli Zaretskii; +Cc: 70440 Eli Zaretskii wrote: > > From: Augusto Stoffel <arstoffel@gmail.com> > > Date: Wed, 17 Apr 2024 20:23:30 +0200 > > > > The attachment should be self-explanatory, otherwise let me know. > > > > > > >From 04db8a3fbb29f497fdc728f4413aea162650b30b Mon Sep 17 00:00:00 2001 > > From: Augusto Stoffel <arstoffel@gmail.com> > > Date: Wed, 17 Apr 2024 20:17:22 +0200 > > Subject: [PATCH] Use -P switch when calling 'python-interpreter' > > > > This excludes the current directory from Python's module load path, > > which can be unsafe. > > > > * lisp/progmodes/python.el (python--list-imports): Use -P switch > > (python--do-isort): Use -P switch > > (python-fix-imports): Use -P switch > > --- > > lisp/progmodes/python.el | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el > > index 85279d3e84b..180a8357aad 100644 > > --- a/lisp/progmodes/python.el > > +++ b/lisp/progmodes/python.el > > @@ -6805,7 +6805,7 @@ python--list-imports > > (append > > (split-string-shell-command > > python-interpreter-args) > > - `("-c" ,python--list-imports) > > + `("-Pc" ,python--list-imports) > > (list (or name ""))))) > > (with-current-buffer buffer > > (apply #'call-process > > @@ -6814,7 +6814,7 @@ python--list-imports > > (append > > (split-string-shell-command > > python-interpreter-args) > > - `("-c" ,python--list-imports) > > + `("-Pc" ,python--list-imports) > > (list (or name "")) > > (mapcar #'file-local-name source)))))) > > lines) > > @@ -6862,7 +6862,7 @@ python--do-isort > > (append > > (split-string-shell-command > > python-interpreter-args) > > - '("-m" "isort" "-") > > + '("-Pm" "isort" "-") > > args))) > > (tick (buffer-chars-modified-tick))) > > (unless (eq 0 status) > > @@ -6940,7 +6940,7 @@ python-fix-imports > > (append > > (split-string-shell-command > > python-interpreter-args) > > - '("-m" "pyflakes")))) > > + '("-Pm" "pyflakes")))) > > (goto-char (point-min)) > > (when (looking-at-p ".* No module named pyflakes$") > > (error "%s couldn't find pyflakes" python-interpreter)) > > -- > > 2.44.0 > > > > Thanks. > > kobarity, any comments? The -P switch is new, introduced in CPython 3.11, so I don't think it can be added unconditionally. Furthermore, `python-interpreter' may not be CPython. Isn't it enough to customize `python-interpreter-args'? ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-18 15:25 ` kobarity @ 2024-04-18 15:52 ` Augusto Stoffel 2024-04-18 15:57 ` Eli Zaretskii 2024-04-19 6:08 ` Augusto Stoffel 1 sibling, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-18 15:52 UTC (permalink / raw) To: kobarity; +Cc: 70440, Eli Zaretskii On Fri, 19 Apr 2024 at 00:25, kobarity wrote: > The -P switch is new, introduced in CPython 3.11, so I don't think it > can be added unconditionally. Furthermore, `python-interpreter' may > not be CPython. Isn't it enough to customize > `python-interpreter-args'? Ah, too bad. So let's send that option via environment variables. I'll make a new patch when I get the chance. This patch is a quite important fix and shouldn't be left to a customization. Without it, you need to trust the .py files in the current directory. Moreover any name clashes with the built-in library module names can crash the commands (just happened to me). ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-18 15:52 ` Augusto Stoffel @ 2024-04-18 15:57 ` Eli Zaretskii 2024-04-18 16:02 ` Augusto Stoffel 0 siblings, 1 reply; 17+ messages in thread From: Eli Zaretskii @ 2024-04-18 15:57 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: Eli Zaretskii <eliz@gnu.org>, 70440@debbugs.gnu.org > Date: Thu, 18 Apr 2024 17:52:21 +0200 > > On Fri, 19 Apr 2024 at 00:25, kobarity wrote: > > > The -P switch is new, introduced in CPython 3.11, so I don't think it > > can be added unconditionally. Furthermore, `python-interpreter' may > > not be CPython. Isn't it enough to customize > > `python-interpreter-args'? > > Ah, too bad. So let's send that option via environment variables. I'll > make a new patch when I get the chance. Maybe we should discuss this before you sit down to write and text the code. Pushing things into the environment has its downsides: those environment variables then affect all the subordinate processes, including their children, grandchildren etc. This is not always wanted. One alternative to environment variables would be detecting whether -P is supported before the first time we invoke Python. We do similar stuff for Grep and other programs we invoke. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-18 15:57 ` Eli Zaretskii @ 2024-04-18 16:02 ` Augusto Stoffel 2024-04-18 16:13 ` Eli Zaretskii 0 siblings, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-18 16:02 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 70440, kobarity On Thu, 18 Apr 2024 at 18:57, Eli Zaretskii wrote: >> From: Augusto Stoffel <arstoffel@gmail.com> >> Cc: Eli Zaretskii <eliz@gnu.org>, 70440@debbugs.gnu.org >> Date: Thu, 18 Apr 2024 17:52:21 +0200 >> >> On Fri, 19 Apr 2024 at 00:25, kobarity wrote: >> >> > The -P switch is new, introduced in CPython 3.11, so I don't think it >> > can be added unconditionally. Furthermore, `python-interpreter' may >> > not be CPython. Isn't it enough to customize >> > `python-interpreter-args'? >> >> Ah, too bad. So let's send that option via environment variables. I'll >> make a new patch when I get the chance. > > Maybe we should discuss this before you sit down to write and text the > code. Pushing things into the environment has its downsides: those > environment variables then affect all the subordinate processes, > including their children, grandchildren etc. This is not always > wanted. In this case we would just let-bind the env variable for this specific subprocess call only. It's no different than passing a command-line switch. > One alternative to environment variables would be detecting whether -P > is supported before the first time we invoke Python. We do similar > stuff for Grep and other programs we invoke. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-18 16:02 ` Augusto Stoffel @ 2024-04-18 16:13 ` Eli Zaretskii 0 siblings, 0 replies; 17+ messages in thread From: Eli Zaretskii @ 2024-04-18 16:13 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: kobarity@gmail.com, 70440@debbugs.gnu.org > Date: Thu, 18 Apr 2024 18:02:34 +0200 > > On Thu, 18 Apr 2024 at 18:57, Eli Zaretskii wrote: > > >> From: Augusto Stoffel <arstoffel@gmail.com> > >> Cc: Eli Zaretskii <eliz@gnu.org>, 70440@debbugs.gnu.org > >> Date: Thu, 18 Apr 2024 17:52:21 +0200 > >> > >> On Fri, 19 Apr 2024 at 00:25, kobarity wrote: > >> > >> > The -P switch is new, introduced in CPython 3.11, so I don't think it > >> > can be added unconditionally. Furthermore, `python-interpreter' may > >> > not be CPython. Isn't it enough to customize > >> > `python-interpreter-args'? > >> > >> Ah, too bad. So let's send that option via environment variables. I'll > >> make a new patch when I get the chance. > > > > Maybe we should discuss this before you sit down to write and text the > > code. Pushing things into the environment has its downsides: those > > environment variables then affect all the subordinate processes, > > including their children, grandchildren etc. This is not always > > wanted. > > In this case we would just let-bind the env variable for this specific > subprocess call only. It's no different than passing a command-line > switch. Don't then the child processes of that python subprocess inherit the same variable in their environments? That's what I meant by what I wrote above: all of the descendants of our sub-process will inherit the variable. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-18 15:25 ` kobarity 2024-04-18 15:52 ` Augusto Stoffel @ 2024-04-19 6:08 ` Augusto Stoffel 2024-04-19 7:15 ` Eli Zaretskii 1 sibling, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-19 6:08 UTC (permalink / raw) To: kobarity; +Cc: 70440, Eli Zaretskii [-- Attachment #1: Type: text/plain, Size: 1146 bytes --] On Fri, 19 Apr 2024 at 00:25, kobarity wrote: > The -P switch is new, introduced in CPython 3.11, so I don't think it > can be added unconditionally. Furthermore, `python-interpreter' may > not be CPython. Isn't it enough to customize > `python-interpreter-args'? After sleeping on this, I recommend using -P anyway and simply failing if the installed Python is too old. The reason is that this has a security implication, similar to the recent Org mode Latex preview situation. Without -P the user is tacitly trusting the contents of the current directory. By tricking an user into downloading a malicious file with an intentional name clash (say via git pull), arbitrary code could in principle be executed on the user's machine. The -P switch completely removes this possibility, and conversely, without -P there seems to be no reasonable way to make Python safe. I've attached a new patch that informs the user why the commands failed when Python is too old, which is good enough in my opinion. Note also that this change only affects the Python import management commands, which is a very handy but by no means essential feature. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-Use-P-switch-when-calling-python-interpreter.patch --] [-- Type: text/x-patch, Size: 3474 bytes --] From 2cca02440069a31546eff04c8cd6c00b171a85a2 Mon Sep 17 00:00:00 2001 From: Augusto Stoffel <arstoffel@gmail.com> Date: Wed, 17 Apr 2024 20:17:22 +0200 Subject: [PATCH] Use -P switch when calling 'python-interpreter' This excludes the current directory from Python's module load path, which can be unsafe. * lisp/progmodes/python.el (python--list-imports, python--do-isort), (python-fix-imports): Use -P switch (python--list-imports-check-status): Warn about old Python versions missing the -P switch. --- lisp/progmodes/python.el | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el index 85279d3e84b..304aa2d9d6e 100644 --- a/lisp/progmodes/python.el +++ b/lisp/progmodes/python.el @@ -6744,9 +6744,9 @@ python--list-imports try: from isort import find_imports_in_stream, find_imports_in_paths except ModuleNotFoundError: - exit(2) -except ImportError: exit(3) +except ImportError: + exit(4) query, files, result = argv[1] or None, argv[2:], {} @@ -6781,8 +6781,9 @@ python--list-imports-check-status (unless (eq 0 status) (let* ((details (cond - ((eq 2 status) " (maybe isort is missing?)") - ((eq 3 status) " (maybe isort version is older than 5.7.0?)") + ((eq 2 status) " (maybe Python version is older than 3.11?)") + ((eq 3 status) " (maybe isort is missing?)") + ((eq 4 status) " (maybe isort version is older than 5.7.0?)") (t ""))) (msg (concat "%s exited with status %s" details))) @@ -6805,7 +6806,7 @@ python--list-imports (append (split-string-shell-command python-interpreter-args) - `("-c" ,python--list-imports) + `("-Pc" ,python--list-imports) (list (or name ""))))) (with-current-buffer buffer (apply #'call-process @@ -6814,7 +6815,7 @@ python--list-imports (append (split-string-shell-command python-interpreter-args) - `("-c" ,python--list-imports) + `("-Pc" ,python--list-imports) (list (or name "")) (mapcar #'file-local-name source)))))) lines) @@ -6862,7 +6863,7 @@ python--do-isort (append (split-string-shell-command python-interpreter-args) - '("-m" "isort" "-") + '("-Pm" "isort" "-") args))) (tick (buffer-chars-modified-tick))) (unless (eq 0 status) @@ -6940,7 +6941,7 @@ python-fix-imports (append (split-string-shell-command python-interpreter-args) - '("-m" "pyflakes")))) + '("-Pm" "pyflakes")))) (goto-char (point-min)) (when (looking-at-p ".* No module named pyflakes$") (error "%s couldn't find pyflakes" python-interpreter)) -- 2.44.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 6:08 ` Augusto Stoffel @ 2024-04-19 7:15 ` Eli Zaretskii 2024-04-19 15:21 ` Augusto Stoffel 0 siblings, 1 reply; 17+ messages in thread From: Eli Zaretskii @ 2024-04-19 7:15 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: Eli Zaretskii <eliz@gnu.org>, 70440@debbugs.gnu.org > Date: Fri, 19 Apr 2024 08:08:43 +0200 > > On Fri, 19 Apr 2024 at 00:25, kobarity wrote: > > > The -P switch is new, introduced in CPython 3.11, so I don't think it > > can be added unconditionally. Furthermore, `python-interpreter' may > > not be CPython. Isn't it enough to customize > > `python-interpreter-args'? > > After sleeping on this, I recommend using -P anyway and simply failing > if the installed Python is too old. > > The reason is that this has a security implication, similar to the > recent Org mode Latex preview situation. Without -P the user is tacitly > trusting the contents of the current directory. By tricking an user > into downloading a malicious file with an intentional name clash (say > via git pull), arbitrary code could in principle be executed on the > user's machine. > > The -P switch completely removes this possibility, and conversely, > without -P there seems to be no reasonable way to make Python safe. > > I've attached a new patch that informs the user why the commands failed > when Python is too old, which is good enough in my opinion. Note also > that this change only affects the Python import management commands, > which is a very handy but by no means essential feature. Doing it this way would be an annoyance. Users could have less-than-the-latest Python (or non-CPython version) installed for any number of reasons, and it is not our business to annoy them because of this. Security of using Python is not our concern, it is the user's concern. So I'd prefer that the change probed the support for the -P switch when the relevant Emacs commands/functions are first invoked, and used that if -P is supported, without any annoying messages. Do you see any problems with such an approach? Thanks. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 7:15 ` Eli Zaretskii @ 2024-04-19 15:21 ` Augusto Stoffel 2024-04-19 15:40 ` Eli Zaretskii 0 siblings, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-19 15:21 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 70440, kobarity On Fri, 19 Apr 2024 at 10:15, Eli Zaretskii wrote: >> From: Augusto Stoffel <arstoffel@gmail.com> >> Cc: Eli Zaretskii <eliz@gnu.org>, 70440@debbugs.gnu.org >> Date: Fri, 19 Apr 2024 08:08:43 +0200 >> >> On Fri, 19 Apr 2024 at 00:25, kobarity wrote: >> >> > The -P switch is new, introduced in CPython 3.11, so I don't think it >> > can be added unconditionally. Furthermore, `python-interpreter' may >> > not be CPython. Isn't it enough to customize >> > `python-interpreter-args'? >> >> After sleeping on this, I recommend using -P anyway and simply failing >> if the installed Python is too old. >> >> The reason is that this has a security implication, similar to the >> recent Org mode Latex preview situation. Without -P the user is tacitly >> trusting the contents of the current directory. By tricking an user >> into downloading a malicious file with an intentional name clash (say >> via git pull), arbitrary code could in principle be executed on the >> user's machine. >> >> The -P switch completely removes this possibility, and conversely, >> without -P there seems to be no reasonable way to make Python safe. >> >> I've attached a new patch that informs the user why the commands failed >> when Python is too old, which is good enough in my opinion. Note also >> that this change only affects the Python import management commands, >> which is a very handy but by no means essential feature. > > Doing it this way would be an annoyance. Users could have > less-than-the-latest Python (or non-CPython version) installed for any > number of reasons, and it is not our business to annoy them because of > this. Security of using Python is not our concern, it is the user's > concern. > > So I'd prefer that the change probed the support for the -P switch > when the relevant Emacs commands/functions are first invoked, and used > that if -P is supported, without any annoying messages. Do you see > any problems with such an approach? > > Thanks. Okay, you are the maintainer, but I hope I explained well that this is a security hole. (Apart from the security aspect, without -P the tool will just mysteriously stop working if a file with a name such as csv.py is added to the project; that's what happened to me. Perhaps outright not working and explaining why is not as bad as working fine until it doesn't anymore.) ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 15:21 ` Augusto Stoffel @ 2024-04-19 15:40 ` Eli Zaretskii 2024-04-19 15:55 ` Augusto Stoffel 0 siblings, 1 reply; 17+ messages in thread From: Eli Zaretskii @ 2024-04-19 15:40 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: kobarity@gmail.com, 70440@debbugs.gnu.org > Date: Fri, 19 Apr 2024 17:21:48 +0200 > > On Fri, 19 Apr 2024 at 10:15, Eli Zaretskii wrote: > > >> From: Augusto Stoffel <arstoffel@gmail.com> > >> Cc: Eli Zaretskii <eliz@gnu.org>, 70440@debbugs.gnu.org > >> Date: Fri, 19 Apr 2024 08:08:43 +0200 > >> > >> On Fri, 19 Apr 2024 at 00:25, kobarity wrote: > >> > >> > The -P switch is new, introduced in CPython 3.11, so I don't think it > >> > can be added unconditionally. Furthermore, `python-interpreter' may > >> > not be CPython. Isn't it enough to customize > >> > `python-interpreter-args'? > >> > >> After sleeping on this, I recommend using -P anyway and simply failing > >> if the installed Python is too old. > >> > >> The reason is that this has a security implication, similar to the > >> recent Org mode Latex preview situation. Without -P the user is tacitly > >> trusting the contents of the current directory. By tricking an user > >> into downloading a malicious file with an intentional name clash (say > >> via git pull), arbitrary code could in principle be executed on the > >> user's machine. > >> > >> The -P switch completely removes this possibility, and conversely, > >> without -P there seems to be no reasonable way to make Python safe. > >> > >> I've attached a new patch that informs the user why the commands failed > >> when Python is too old, which is good enough in my opinion. Note also > >> that this change only affects the Python import management commands, > >> which is a very handy but by no means essential feature. > > > > Doing it this way would be an annoyance. Users could have > > less-than-the-latest Python (or non-CPython version) installed for any > > number of reasons, and it is not our business to annoy them because of > > this. Security of using Python is not our concern, it is the user's > > concern. > > > > So I'd prefer that the change probed the support for the -P switch > > when the relevant Emacs commands/functions are first invoked, and used > > that if -P is supported, without any annoying messages. Do you see > > any problems with such an approach? > > > > Thanks. > > Okay, you are the maintainer, but I hope I explained well that this is a > security hole. I'm not sure I understand: if the user doesn't have a version of Python which supports this option, what else can we do? Refuse to use such a Python? That doesn't seem to be an option we can use. Yes, this is a security hole, but it's the user's security hole, not ours, if the user doesn't install the safer Python. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 15:40 ` Eli Zaretskii @ 2024-04-19 15:55 ` Augusto Stoffel 2024-04-19 17:31 ` Eli Zaretskii 0 siblings, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-19 15:55 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 70440, kobarity On Fri, 19 Apr 2024 at 18:40, Eli Zaretskii wrote: > I'm not sure I understand: if the user doesn't have a version of > Python which supports this option, what else can we do? Refuse to > use such a Python? That doesn't seem to be an option we can use. Why not? Let me make sure we're on the same page that this affects only couple of handy but by no means essential commands that add or remove import statements. Nobody _needs_ this to write Python code. > Yes, this is a security hole, but it's the user's security hole, not > ours, if the user doesn't install the safer Python. I see it as _my_ security hole, since it was me who added a line to Emacs that calls 'python -c' in a random directory without removing the current directory from the module load path (as much as a find it a bad design choice in Python to do that by default.) ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 15:55 ` Augusto Stoffel @ 2024-04-19 17:31 ` Eli Zaretskii 2024-04-19 18:02 ` Augusto Stoffel 0 siblings, 1 reply; 17+ messages in thread From: Eli Zaretskii @ 2024-04-19 17:31 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: kobarity@gmail.com, 70440@debbugs.gnu.org > Date: Fri, 19 Apr 2024 17:55:51 +0200 > > On Fri, 19 Apr 2024 at 18:40, Eli Zaretskii wrote: > > > I'm not sure I understand: if the user doesn't have a version of > > Python which supports this option, what else can we do? Refuse to > > use such a Python? That doesn't seem to be an option we can use. > > Why not? Because it's unthinkable? > Let me make sure we're on the same page that this affects only > couple of handy but by no means essential commands that add or remove > import statements. Nobody _needs_ this to write Python code. That's not relevant. The important part is that if we accept your proposal, users who have Python that doesn't support -P will be unable to invoke Python even if their Python programs don't use the problematic features. > > Yes, this is a security hole, but it's the user's security hole, not > > ours, if the user doesn't install the safer Python. > > I see it as _my_ security hole, since it was me who added a line to > Emacs that calls 'python -c' in a random directory without removing the > current directory from the module load path (as much as a find it a bad > design choice in Python to do that by default.) Sorry, you lost me here. But if there's a way to close the hole without preventing users to use a subordinate Python, please describe it in more details. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 17:31 ` Eli Zaretskii @ 2024-04-19 18:02 ` Augusto Stoffel 2024-04-19 18:17 ` Eli Zaretskii 0 siblings, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-19 18:02 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 70440, kobarity On Fri, 19 Apr 2024 at 20:31, Eli Zaretskii wrote: >> Let me make sure we're on the same page that this affects only >> couple of handy but by no means essential commands that add or remove >> import statements. Nobody _needs_ this to write Python code. > > That's not relevant. The important part is that if we accept your > proposal, users who have Python that doesn't support -P will be unable > to invoke Python even if their Python programs don't use the > problematic features. That's a misunderstanding. My patch only affects the following commands: python-sort-imports python-add-import python-fix-imports python-remove-import python-import-symbol-at-point There's no change in any customization option or in the way Python is invoked for any other purpose. Of course it would be unreasonable to change the way other Python subprocesses are invoked. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 18:02 ` Augusto Stoffel @ 2024-04-19 18:17 ` Eli Zaretskii 2024-04-19 18:30 ` Augusto Stoffel 0 siblings, 1 reply; 17+ messages in thread From: Eli Zaretskii @ 2024-04-19 18:17 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: kobarity@gmail.com, 70440@debbugs.gnu.org > Date: Fri, 19 Apr 2024 20:02:16 +0200 > > On Fri, 19 Apr 2024 at 20:31, Eli Zaretskii wrote: > > >> Let me make sure we're on the same page that this affects only > >> couple of handy but by no means essential commands that add or remove > >> import statements. Nobody _needs_ this to write Python code. > > > > That's not relevant. The important part is that if we accept your > > proposal, users who have Python that doesn't support -P will be unable > > to invoke Python even if their Python programs don't use the > > problematic features. > > That's a misunderstanding. My patch only affects the following > commands: > > python-sort-imports > python-add-import > python-fix-imports > python-remove-import > python-import-symbol-at-point Affects in what way? AFAIU, with your patch these commands will not work if Python doesn't support -P. Is that right? ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 18:17 ` Eli Zaretskii @ 2024-04-19 18:30 ` Augusto Stoffel 2024-04-19 19:01 ` Eli Zaretskii 0 siblings, 1 reply; 17+ messages in thread From: Augusto Stoffel @ 2024-04-19 18:30 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 70440, kobarity On Fri, 19 Apr 2024 at 21:17, Eli Zaretskii wrote: >> That's a misunderstanding. My patch only affects the following >> commands: >> >> python-sort-imports >> python-add-import >> python-fix-imports >> python-remove-import >> python-import-symbol-at-point > > Affects in what way? AFAIU, with your patch these commands will not > work if Python doesn't support -P. Is that right? Yes. (And again, that's not a gratuitous choice.) ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' 2024-04-19 18:30 ` Augusto Stoffel @ 2024-04-19 19:01 ` Eli Zaretskii 0 siblings, 0 replies; 17+ messages in thread From: Eli Zaretskii @ 2024-04-19 19:01 UTC (permalink / raw) To: Augusto Stoffel; +Cc: 70440, kobarity > From: Augusto Stoffel <arstoffel@gmail.com> > Cc: kobarity@gmail.com, 70440@debbugs.gnu.org > Date: Fri, 19 Apr 2024 20:30:27 +0200 > > On Fri, 19 Apr 2024 at 21:17, Eli Zaretskii wrote: > > >> That's a misunderstanding. My patch only affects the following > >> commands: > >> > >> python-sort-imports > >> python-add-import > >> python-fix-imports > >> python-remove-import > >> python-import-symbol-at-point > > > > Affects in what way? AFAIU, with your patch these commands will not > > work if Python doesn't support -P. Is that right? > > Yes. That's what IMO is unthinkable: we cannot possibly force the user's hand that much, especially since this used to work before. Users need to learn about the problem and install a newer Python, and then the security hole will be gone, at least as far as invoking Python from Emacs is concerned. The most we can do is urge the users to upgrade in the NEWS entry where we announce this new feature. ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-04-19 19:01 UTC | newest] Thread overview: 17+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-17 18:23 bug#70440: [PATCH] Use -P switch when calling 'python-interpreter' Augusto Stoffel 2024-04-17 19:13 ` Eli Zaretskii 2024-04-18 15:25 ` kobarity 2024-04-18 15:52 ` Augusto Stoffel 2024-04-18 15:57 ` Eli Zaretskii 2024-04-18 16:02 ` Augusto Stoffel 2024-04-18 16:13 ` Eli Zaretskii 2024-04-19 6:08 ` Augusto Stoffel 2024-04-19 7:15 ` Eli Zaretskii 2024-04-19 15:21 ` Augusto Stoffel 2024-04-19 15:40 ` Eli Zaretskii 2024-04-19 15:55 ` Augusto Stoffel 2024-04-19 17:31 ` Eli Zaretskii 2024-04-19 18:02 ` Augusto Stoffel 2024-04-19 18:17 ` Eli Zaretskii 2024-04-19 18:30 ` Augusto Stoffel 2024-04-19 19:01 ` Eli Zaretskii
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.