[Python-bugs-list] [ python-Bugs-404545 ] frozen package import uses wrong files
noreply@sourceforge.net
noreply@sourceforge.net
Tue, 20 Mar 2001 11:43:05 -0800
Bugs item #404545, was updated on 2001-02-27 02:18
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470
Category: Python Interpreter Core
Group: None
Status: Open
>Priority: 2
Submitted By: Toby Dickenson (htrd)
Assigned to: Guido van Rossum (gvanrossum)
Summary: frozen package import uses wrong files
Initial Comment:
In a frozen package, importing a module from
another package causes the import machinery to try to
open some curiously named files, before finally finding
the frozen data.
It is possible to 'break' a frozen program by creating
a file of that name. The frozen program will try to
import from it rather than the frozen data.
The following collection of modules demonstrates this
(also in the attached zip):
Directory of D:\Projects\import
2001-02-27 08:57 11 b.n.py
2001-02-27 08:49 10 x.py
2 File(s) 21 bytes
Directory of D:\Projects\import\a
2001-02-27 08:57 27 m.py
2001-02-27 09:58 0 __init__.py
2 File(s) 27 bytes
Directory of D:\Projects\import\b
2001-02-27 08:56 11 n.py
2001-02-27 09:58 0 __init__.py
2 File(s) 11 bytes
Total Files Listed:
6 File(s) 59 bytes
0 Dir(s) 1,485,537,280 bytes free
The 'real' program is made up of the three files with
single character names plus the two __init__ files.
b.n.py is a rogue file that breaks a frozen program.
x.py contains "import a.m"
a/m.py contains "import b.n". This is the import that
goes wrong. When run as a normal script it imports
b/n.py.
However, a frozen binary appears to search for various
a.b.* files over sys.path first. If it is run from the
same directory as a.b.py then it will load that file
instead. Note that this file is not included in the
freeze.
----------------------------------------------------------------------
>Comment By: Guido van Rossum (gvanrossum)
Date: 2001-03-20 11:43
Message:
Logged In: YES
user_id=6380
I agree this is a bug.
I think there are lots of other ways to break frozen
programs, so I don't think this is a high priority security
bug.
I wish I had more time to research this, but I don't, so
I'll give this a low priority. If someone submits a patch,
I'd be grateful!
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470