Ticket #177 (closed defect: fixed)
Secirity risk: easy_install reads a wiki page to get tarball path
|Reported by:||upadhyay@…||Owned by:||xi|
This is a *huge* security risk. Anyone can modify the wiki page: http://pyyaml.org/wiki/PyYAML, adding a malicious tarball location, that will be downloaded by easy_install and run as root on everyone who tries to install PyYAML.
At the very least please make the wiki page editable by only few people. Or make the pypi download location point to something more "reliable".