Security risk of hidden pth files #113659
Description
"pth files are evil." (Barry Warsaw, #78125)
There is a special kind of evilness:
- pth files allow to execute arbitrary Python code.
- pth files are executed automatically, unlike to normal py files which need explicit import or passing as argument to Python interpreter.
- Some files are hidden by default (in shell and file managers). In particularly dot-files on Posix.
In sum, it increases the risk of executing malicious code. When you receive a handful of files, you, as a cautious person, check their contents before executing. If Python source files are hidden, it's okay, because you saw that nothing suspicious is imported in the files that you execute. But pth files can be executed even if you do not see them and there are no references in visible files.
This issue was first discussed in comments in #113357.
The severity of this issue is not very large, because it requires user interaction to activate. But it increases the risk. I think we should forbid processing hidden pth files.
Linked PRs
- gh-113659: Skip hidden .pth files #113660
- [3.12] gh-113659: Skip hidden .pth files (GH-113660) #114143
- [3.11] gh-113659: Skip hidden .pth files (GH-113660) #114144
- [3.10] gh-113659: Skip hidden .pth files (GH-113660) #114145
- [3.9] gh-113659: Skip hidden .pth files (GH-113660) #114146
- [3.8] gh-113659: Skip hidden .pth files (GH-113660) #114147