HazelnootMar 25

The fact that this was a .pth file is particularly nasty. Unlike a compromised import, a .pth file runs on every Python process, not just ones that use the library. If you had the package installed in a shared environment, every Python script on that machine was triggering the payload.What the hell? Why is that a thing??

RE: https://mamot.fr/users/Khrys/statuses/116286245381869095

Show threadprincess pancake Mar 25
@hazelnoot Python uses Python as a DSL

Wait until you hear about pickle
Show threadprincess pancake Mar 25
@hazelnoot wait it's not even Python by itself it's just hooks
Show threaddakkar
@natty @hazelnoot https://docs.python.org/3.11/library/site.html#module-site:~:text=path%20configuration%20file

wow, I see why they thought they needed something like that, but still…
site — Site-specific configuration hook

Source code: Lib/site.py This module is automatically imported during initialization. The automatic import can be suppressed using the interpreter’s-S option. Importing this module will append site...

Python documentation
Mar 25 at 9:53amWeb
Show threaddakkarMar 25
@natty @hazelnoot also https://github.com/python/cpython/issues/113659
Security risk of hidden pth files · Issue #113659 · python/cpython

"pth files are evil." (Barry Warsaw, #78125) There is a special kind of evilness: pth files allow to execute arbitrary Python code. pth files are executed automatically, unlike to normal py files w...

GitHub