Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move self_outdated_check import to the top to stop WHL exec on install. #13085

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

calebbrown
Copy link

Fixes #13079 by moving the import to the top of the module so that it is imported when install.py is imported.

Preserve the comment as it is still relevant and add a note about preventing arbitrary code execution.

Signed-off-by: Caleb Brown <[email protected]>
Copy link
Member

@ichard26 ichard26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be worth it to include a news entry for this change? Technically this fixes a security vulnerability although I presume it hasn't been used in the wild.

@calebbrown
Copy link
Author

Sure. Added.

@notatallshaw notatallshaw added this to the 25.0 milestone Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Lazy import allows wheel to execute code on install.
3 participants