Mailing List Archive

El jue, 14 abr 2022 a las 11:47, Brett Cannon (<brett@python.org>) escribió:

> A CVE has been opened against mailcap (see
> https://github.com/python/cpython/issues/68966 for details). I'm not
> aware of anyone trying to maintain the module and Victor did a search
> online and didn't find any use of the module in the top 5000 projects on
> PyPI (see the issue). The module is also under 300 lines of Python code
> that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py),
> so vendoring wouldn't be burdensome.
>
> As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13.
> Any explicit objections?
>

Agree on deprecating. I searched grep.app and found no significant usage.

Do you know why this module wasn't included in PEP 594? Should we do
another audit of old modules to deprecate them before they cause problems?


> _______________________________________________
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-leave@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DBWSTBIOPQL5QTBSIOBORWSCMJ/
> Code of Conduct: http://python.org/psf/codeofconduct/
>

> I searched grep.app and found no significant usage.

Maybe someone wants to inform mitmproxy?

It's a very popular tool and it comes up using that tool when searching for
"import mailcap" using grep.app:
https://grep.app/search?q=import%20mailcap
https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/master.py#L2

On Thu, Apr 14, 2022 at 3:06 PM Jelle Zijlstra <jelle.zijlstra@gmail.com>
wrote:

>
>
> El jue, 14 abr 2022 a las 11:47, Brett Cannon (<brett@python.org>)
> escribió:
>
>> A CVE has been opened against mailcap (see
>> https://github.com/python/cpython/issues/68966 for details). I'm not
>> aware of anyone trying to maintain the module and Victor did a search
>> online and didn't find any use of the module in the top 5000 projects on
>> PyPI (see the issue). The module is also under 300 lines of Python code
>> that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py),
>> so vendoring wouldn't be burdensome.
>>
>> As such, I'm proposing we deprecate mailcap in 3.11 and remove it in
>> 3.13. Any explicit objections?
>>
>
> Agree on deprecating. I searched grep.app and found no significant usage.
>
> Do you know why this module wasn't included in PEP 594? Should we do
> another audit of old modules to deprecate them before they cause problems?
>
>
>> _______________________________________________
>> Python-Dev mailing list -- python-dev@python.org
>> To unsubscribe send an email to python-dev-leave@python.org
>> https://mail.python.org/mailman3/lists/python-dev.python.org/
>> Message archived at
>> https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DBWSTBIOPQL5QTBSIOBORWSCMJ/
>> Code of Conduct: http://python.org/psf/codeofconduct/
>>
> _______________________________________________
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-leave@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/ON7R7LD7OVPOF5XXPXJWE7AKCRAPQ7IN/
> Code of Conduct: http://python.org/psf/codeofconduct/
>

On Thu, Apr 14, 2022 at 12:04 Jelle Zijlstra <jelle.zijlstra@gmail.com>
wrote:

>
>
> El jue, 14 abr 2022 a las 11:47, Brett Cannon (<brett@python.org>)
> escribió:
>
>> Do you know why this module wasn't included in PEP 594?
>

Probably because it’s not a top level module — it’s inside the email
package.

Should we do another audit of old modules to deprecate them before they
> cause problems?
>
--
--Guido (mobile)

+1 add it to the 3.11 deprecations and proactively reach out to the
mitmproxy owners.

(internal code search: aside from mitmproxy I only see a _single_ use of
this in our codebase and it was simply convenient but has a clear simpler
alternative assuming that ~2008 era code is even still in use)

-gps


On Thu, Apr 14, 2022 at 11:49 AM Brett Cannon <brett@python.org> wrote:

> A CVE has been opened against mailcap (see
> https://github.com/python/cpython/issues/68966 for details). I'm not
> aware of anyone trying to maintain the module and Victor did a search
> online and didn't find any use of the module in the top 5000 projects on
> PyPI (see the issue). The module is also under 300 lines of Python code
> that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py),
> so vendoring wouldn't be burdensome.
>
> As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13.
> Any explicit objections?
> _______________________________________________
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-leave@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/EB2BS4DBWSTBIOPQL5QTBSIOBORWSCMJ/
> Code of Conduct: http://python.org/psf/codeofconduct/
>

El jue, 14 abr 2022 a las 12:21, Damian Shaw (<damian.peter.shaw@gmail.com>)
escribió:

> > I searched grep.app and found no significant usage.
>
> Maybe someone wants to inform mitmproxy?
>
> It's a very popular tool and it comes up using that tool when searching
> for "import mailcap" using grep.app:
> https://grep.app/search?q=import%20mailcap
>
> https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/master.py#L2
>

Thanks for catching that! I missed it because I mistakenly searched for
'"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to
the security issue because it only passes a filename from mkstemp() to
mailcap, and hopefully mkstemp filenames don't have shell metacharacters in
them. However, if we deprecate mailcap mitmproxy will have to change their
code.

El jue, 14 abr 2022 a las 13:33, Guido van Rossum (<guido@python.org>)
escribió:

> Probably because it’s not a top level module — it’s inside the email
> package.
>
It's in fact a top-level module.

Whoops, you’re right. I suppose I should have no opinion on whether to
deprecate it; I haven’t thought about it for over two decades…

On Thu, Apr 14, 2022 at 16:33 Jelle Zijlstra <jelle.zijlstra@gmail.com>
wrote:

>
>
> El jue, 14 abr 2022 a las 12:21, Damian Shaw (<damian.peter.shaw@gmail.com>)
> escribió:
>
>> > I searched grep.app and found no significant usage.
>>
>> Maybe someone wants to inform mitmproxy?
>>
>> It's a very popular tool and it comes up using that tool when searching
>> for "import mailcap" using grep.app:
>> https://grep.app/search?q=import%20mailcap
>>
>> https://github.com/mitmproxy/mitmproxy/blob/main/mitmproxy/tools/console/master.py#L2
>>
>
> Thanks for catching that! I missed it because I mistakenly searched for
> '"import mailcap"' in quotes. It looks like mitmproxy isn't vulnerable to
> the security issue because it only passes a filename from mkstemp() to
> mailcap, and hopefully mkstemp filenames don't have shell metacharacters in
> them. However, if we deprecate mailcap mitmproxy will have to change their
> code.
>
> El jue, 14 abr 2022 a las 13:33, Guido van Rossum (<guido@python.org>)
> escribió:
>
>> Probably because it’s not a top level module — it’s inside the email
>> package.
>>
> It's in fact a top-level module.
>
> _______________________________________________
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-leave@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/25FNDJBERE5PLBP3VX3JQ7ER2LNE2K2O/
> Code of Conduct: http://python.org/psf/codeofconduct/
>
--
--Guido (mobile)

After talking about this in the SC today, we agreed to deprecate mailcap
under the auspices of PEP 594:
https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c7822
.

On Thu, Apr 14, 2022 at 11:44 AM Brett Cannon <brett@python.org> wrote:

> A CVE has been opened against mailcap (see
> https://github.com/python/cpython/issues/68966 for details). I'm not
> aware of anyone trying to maintain the module and Victor did a search
> online and didn't find any use of the module in the top 5000 projects on
> PyPI (see the issue). The module is also under 300 lines of Python code
> that only (https://github.com/python/cpython/blob/main/Lib/mailcap.py),
> so vendoring wouldn't be burdensome.
>
> As such, I'm proposing we deprecate mailcap in 3.11 and remove it in 3.13.
> Any explicit objections?
>

On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon <brett@python.org> wrote:
> After talking about this in the SC today, we agreed to deprecate mailcap under the auspices of PEP 594: https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c7822 .

Good. I proposed https://github.com/python/cpython/pull/91951 to
implement the deprecation in Python 3.11.

Fixing or documenting the shell injection vulnerability CVE-2015-20107
is still being discussed at:
https://github.com/python/cpython/issues/68966

Victor
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/Y4IAWAWYTNKSIAVTXJGV2ZMQTFV5WYTT/
Code of Conduct: http://python.org/psf/codeofconduct/

I didn't spot anyone else report this to mitmproxy so I raised an issue to
make them aware: https://github.com/mitmproxy/mitmproxy/issues/5297

On Tue, Apr 26, 2022 at 3:30 AM Victor Stinner <vstinner@python.org> wrote:

> On Tue, Apr 26, 2022 at 5:47 AM Brett Cannon <brett@python.org> wrote:
> > After talking about this in the SC today, we agreed to deprecate mailcap
> under the auspices of PEP 594:
> https://github.com/python/peps/commit/701999a91dc5f976c00d5bde1510226ebd9c7822
> .
>
> Good. I proposed https://github.com/python/cpython/pull/91951 to
> implement the deprecation in Python 3.11.
>
> Fixing or documenting the shell injection vulnerability CVE-2015-20107
> is still being discussed at:
> https://github.com/python/cpython/issues/68966
>
> Victor
> _______________________________________________
> Python-Dev mailing list -- python-dev@python.org
> To unsubscribe send an email to python-dev-leave@python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-dev@python.org/message/Y4IAWAWYTNKSIAVTXJGV2ZMQTFV5WYTT/
> Code of Conduct: http://python.org/psf/codeofconduct/
>