diff --git a/peps/pep-0829.rst b/peps/pep-0829.rst index 8fd1201a46e..e69afd1dce3 100644 --- a/peps/pep-0829.rst +++ b/peps/pep-0829.rst @@ -30,7 +30,8 @@ have used arbitrary code execution in ``.pth`` files as an attack vector. This PEP doesn't completely close this vector, but it does propose an important and useful improvement, by narrowing the attack surface and enabling a future policy mechanism for controlling which packages are allowed or -prevented from extending the path and executing start up code. +prevented from extending the path and executing start up code. See +:ref:`security` for additional discussion. Motivation @@ -90,10 +91,12 @@ This PEP proposes the following: During the deprecation period, for any ``.pth`` file without a matching ``.start`` file, the processing of the former is unchanged, - although a warning about ``import`` lines is issued. After the deprecation - period ``import`` lines in ``.pth`` files are ignored and a warning is - issued, regardless of whether there is a matching ``.start`` file or - not. + although a warning about ``import`` lines is issued when ``-v`` (verbose) + flag is given to Python. + + After the deprecation period ``import`` lines in ``.pth`` files are + ignored and a warning is issued, regardless of whether there is a matching + ``.start`` file or not. See the :ref:`teach` section for specific migration guidelines. @@ -113,6 +116,10 @@ both files. all path extensions, preserving order file-by-file and then by entry appearance. Duplicates are ignored. +#. During the deprecation period, collect ``import`` lines found from + ``.pth`` files. Processing of these lines is deferred until after + ``.start`` file scanning. + #. *Future extension:* apply a :ref:`global policy filter ` on the list of path extensions. @@ -121,6 +128,10 @@ both files. #. List all ``.start`` files (see :ref:`discovery` for additional details) and sort them in alphabetical order by filename. + For any ``.start`` that matches a previously scanned ``.pth`` + file, discard all ``import`` lines from those matched ``.pth`` files. + See the :ref:`teach` section for more details and rationale. + #. Parse the ``.start`` files in sorted order, keeping a global list of all entry points, preserving order file-by-file and then by entry appearance. Duplicates are :ref:`not ignored `. @@ -290,6 +301,7 @@ utilize the ``import`` line arbitrary code execution feature of current importable module inside the package, and then name this callable in an entry point specification inside a ``.start`` file. +.. _security: Security Implications ===================== @@ -299,6 +311,10 @@ This PEP improves the security posture of interpreter startup. * The removal of arbitrary code execution by :func:`exec` with entry point execution, which is more constrained and auditable. +* Splitting ``sys.path`` extensioni from code execution into two separate + files means that you can tell by listing the files in the site-dir, exactly + where arbitrary code execution occurs. + * Python's import system is used to access and run the entry points, so the standard audit hooks (:pep:`578`) can provide monitoring. @@ -414,6 +430,14 @@ Open Issues Change History ============== +``TBD`` + +* During the deprecation period, warnings about ``import`` lines in + ``.pth`` files with no matching ``.start`` file are only issued + when ``-v`` (verbose) is given. +* Clarify that ``import`` lines in ``.pth`` files where there is a + matching ``.start`` file are ignored. + `13-Apr-2026 `__ * Changed the PEP title.