[Python-bugs-list] [ python-Bugs-404545 ] frozen package import uses wrong files

noreply@sourceforge.net noreply@sourceforge.net
Tue, 20 Mar 2001 11:43:05 -0800 

Bugs item #404545, was updated on 2001-02-27 02:18
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470

Category: Python Interpreter Core
Group: None
Status: Open
>Priority: 2
Submitted By: Toby Dickenson (htrd)
Assigned to: Guido van Rossum (gvanrossum)
Summary: frozen package import uses wrong files

Initial Comment:
In a frozen package, importing a module from 
another package causes the import machinery to try to 
open some curiously named files, before finally finding 
the frozen data.

It is possible to 'break' a frozen program by creating 
a file of that name. The frozen program will try to 
import from it rather than the frozen data.


The following collection of modules demonstrates this 
(also in the attached zip):

 Directory of D:\Projects\import

2001-02-27  08:57                   11 b.n.py
2001-02-27  08:49                   10 x.py
               2 File(s)             21 bytes

 Directory of D:\Projects\import\a

2001-02-27  08:57                   27 m.py
2001-02-27  09:58                    0 __init__.py
               2 File(s)             27 bytes

 Directory of D:\Projects\import\b

2001-02-27  08:56                   11 n.py
2001-02-27  09:58                    0 __init__.py
               2 File(s)             11 bytes

     Total Files Listed:
               6 File(s)             59 bytes
               0 Dir(s)   1,485,537,280 bytes free


The 'real' program is made up of the three files with 
single character names plus the two __init__ files.

b.n.py is a rogue file that breaks a frozen program.

x.py contains "import a.m"

a/m.py contains "import b.n". This is the import that 
goes wrong. When run as a normal script it imports 
b/n.py.

However, a frozen binary appears to search for various 
a.b.* files over sys.path first. If it is run from the 
same directory as a.b.py then it will load that file 
instead. Note that this file is not included in the 
freeze.



----------------------------------------------------------------------

>Comment By: Guido van Rossum (gvanrossum)
Date: 2001-03-20 11:43

Message:
Logged In: YES 
user_id=6380

I agree this is a bug.

I think there are lots of other ways to break frozen
programs, so I don't think this is a high priority security
bug.

I wish I had more time to research this, but I don't, so
I'll give this a low priority.  If someone submits a patch,
I'd be grateful!

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470