As February takes a rare leap forward with an extra day this year, the Python community followed suit!
Python versions 3.12 and 3.11 receive a security fix, and CPython source distributions now document the software supply chain to allow for a more effective vulnerability detection. Another Rust-based tool makes its way into the Python ecosystem, promising exciting improvements to the existing package management system.
Looking ahead, the reveal of the PyCon US 2024 schedule gives us a glimpse into the upcoming Python conference. In other news, the Python Software Foundation launches recurring Office Hours to enhance community support in the Grants Program.
Let’s dive into the biggest Python news from the past month!
Python 3.12 and 3.11 Receive a Security Fix
The Python 3.12.2 and Python 3.11.8 patch versions were released, incorporating hundreds of commits and a host of bug fixes. Aside from that, they both provide a small security fix to an obscure feature of Python that allows for arbitrary code execution.
In a nutshell, this new security fix forbids the processing of hidden path configuration files (.pth) located in a virtual environment’s site-packages/ folder:
venv/
│
├── bin/
│
├── include/
│
├── lib/
│ │
│ └── python3.12/
│ │
│ └── site-packages/
│ │
│ └── .your-hidden.pth
│
├── lib64/
│
└── pyvenv.cfg
On a Unix-like operating system, any file becomes implicitly hidden when its name starts with a leading dot. On Windows, a file needs the corresponding attribute set to be hidden. Note that the directory structure presented above might look slightly different on Windows.
Path configuration files are plain text files that the site module in the Python standard library automatically parses and processes upon the interpreter startup. Historically, these files helped facilitate editable installs and implement hooks into the importing machinery. They essentially let you append extra folders to the Python search path, which is accessible through the sys.path variable.
Unfortunately, .pth files have a quirk that makes it possible to execute any code on startup:
venv/lib/python3.12/site-packages/.your-hidden.pthimport os; print("This will run on Python startup!")
Read the full article at https://realpython.com/python-news-february-2024/ »
[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]