Merge pull request #1474 from dstufft/disable-implicit-compile
Monkeypatch the CFFI Verifier to prevent the implicit compile
diff --git a/src/cryptography/hazmat/bindings/utils.py b/src/cryptography/hazmat/bindings/utils.py
index 55b6129..ca2d91a 100644
--- a/src/cryptography/hazmat/bindings/utils.py
+++ b/src/cryptography/hazmat/bindings/utils.py
@@ -124,9 +124,20 @@
extra_compile_args=extra_compile_args,
extra_link_args=extra_link_args,
)
+
+ ffi.verifier.compile_module = _compile_module
+ ffi.verifier._compile_module = _compile_module
+
return ffi
+def _compile_module(*args, **kwargs):
+ raise RuntimeError(
+ "Attempted implicit compile of a cffi module. All cffi modules should "
+ "be pre-compiled at installation time."
+ )
+
+
def _create_modulename(cdef_sources, source, sys_version):
"""
cffi creates a modulename internally that incorporates the cffi version.
diff --git a/tests/hazmat/bindings/test_utils.py b/tests/hazmat/bindings/test_utils.py
index 3596cd1..5d5c4af 100644
--- a/tests/hazmat/bindings/test_utils.py
+++ b/tests/hazmat/bindings/test_utils.py
@@ -13,6 +13,11 @@
from __future__ import absolute_import, division, print_function
+import binascii
+import os
+
+import pytest
+
from cryptography.hazmat.bindings import utils
@@ -23,3 +28,12 @@
assert name == "_Cryptography_cffi_bcba7f4bx4a14b588"
name = utils._create_modulename(cdef_source, source, "3.2")
assert name == "_Cryptography_cffi_a7462526x4a14b588"
+
+
+def test_implicit_compile_explodes():
+ # This uses a random comment to make sure each test gets its own hash
+ random_comment = binascii.hexlify(os.urandom(24))
+ ffi = utils.build_ffi("/* %s */" % random_comment, "")
+
+ with pytest.raises(RuntimeError):
+ ffi.verifier.load_library()
