> I still don't understand why this is considered a Python security problem.
> If the user can put a malicious "python3.dll" at some arbitrary spot in
> the filesystem (e.g. a USB flash drive), and fool Python.exe into loading
> it, then surely they could put an arbitrary executable at that same spot
> and launch it directly.
What would be the point of adding an arbitrary executable in "C:\spam" or "D:\"? It's not in the system PATH, "App Paths", or any file-association template command. But if you can inject code into vulnerable processes that embed Python by simply creating "C:\DLLs\python3.dll", that seems like low-hanging fruit to me. Just wait for it to be run with administrator access, and then you can own the entire system.