Should an XKCD easter egg that introduces a vulnerability in CPython be removed from core distro?

[fproulx-boostsecurity]

An XKCD comic easter egg was added to CPython back in 2008 (https://github.com/python/cpython/blob/main/Lib/antigravity.py)

This enables a Living Off The Pipeline technique (https://boostsecurityio.github.io/lotp/tool/python). I question the fact that this joke remains in core distro.

[rhettinger]

ISTM that the referenced article is not specific to antigravity but applies generally to webbrowser module. So this issue is overspecific.

This "vulnerability" presumes an attacker has the ability to write to environment variables (i.e. the system is already compromised prior to invoking webbrowser).

In the case of the antigravity module, it is normally invoked interactively where the user already has board system access. It isn't something you see in production code.

Overall, I don't assess that there is a real issue here, but will leave it to our security experts to opine for themselves.