Python News: What's New From February 2024 :

Python News: What's New From February 2024
by:
blow post content copied from  Real Python
click here to view original post


As February takes a rare leap forward with an extra day this year, the Python community followed suit!

Python versions 3.12 and 3.11 receive a security fix, and CPython source distributions now document the software supply chain to allow for a more effective vulnerability detection. Another Rust-based tool makes its way into the Python ecosystem, promising exciting improvements to the existing package management system.

Looking ahead, the reveal of the PyCon US 2024 schedule gives us a glimpse into the upcoming Python conference. In other news, the Python Software Foundation launches recurring Office Hours to enhance community support in the Grants Program.

Let’s dive into the biggest Python news from the past month!

Python 3.12 and 3.11 Receive a Security Fix

The Python 3.12.2 and Python 3.11.8 patch versions were released, incorporating hundreds of commits and a host of bug fixes. Aside from that, they both provide a small security fix to an obscure feature of Python that allows for arbitrary code execution.

In a nutshell, this new security fix forbids the processing of hidden path configuration files (.pth) located in a virtual environment’s site-packages/ folder:

venv/
│
├── bin/
│
├── include/
│
├── lib/
│   │
│   └── python3.12/
│       │
│       └── site-packages/
│           │
│           └── .your-hidden.pth
│
├── lib64/
│
└── pyvenv.cfg

On a Unix-like operating system, any file becomes implicitly hidden when its name starts with a leading dot. On Windows, a file needs the corresponding attribute set to be hidden. Note that the directory structure presented above might look slightly different on Windows.

Path configuration files are plain text files that the site module in the Python standard library automatically parses and processes upon the interpreter startup. Historically, these files helped facilitate editable installs and implement hooks into the importing machinery. They essentially let you append extra folders to the Python search path, which is accessible through the sys.path variable.

Unfortunately, .pth files have a quirk that makes it possible to execute any code on startup:

Text venv/lib/python3.12/site-packages/.your-hidden.pth
import os; print("This will run on Python startup!")

Read the full article at https://realpython.com/python-news-february-2024/ »


[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]


March 11, 2024 at 07:30PM
Click here for more details...

=============================
The original post is available in Real Python by
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce