[Python-bugs-list] [ python-Bugs-404545 ] frozen package import uses wrong files

noreply@sourceforge.net noreply@sourceforge.net
Thu, 18 Oct 2001 11:52:46 -0700 

Bugs item #404545, was opened at 2001-02-27 02:18
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470

Category: Python Interpreter Core
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 2
Submitted By: Toby Dickenson (htrd)
Assigned to: Guido van Rossum (gvanrossum)
Summary: frozen package import uses wrong files

Initial Comment:
In a frozen package, importing a module from 
another package causes the import machinery to try to 
open some curiously named files, before finally finding 
the frozen data.

It is possible to 'break' a frozen program by creating 
a file of that name. The frozen program will try to 
import from it rather than the frozen data.


The following collection of modules demonstrates this 
(also in the attached zip):

 Directory of D:\Projects\import

2001-02-27  08:57                   11 b.n.py
2001-02-27  08:49                   10 x.py
               2 File(s)             21 bytes

 Directory of D:\Projects\import\a

2001-02-27  08:57                   27 m.py
2001-02-27  09:58                    0 __init__.py
               2 File(s)             27 bytes

 Directory of D:\Projects\import\b

2001-02-27  08:56                   11 n.py
2001-02-27  09:58                    0 __init__.py
               2 File(s)             11 bytes

     Total Files Listed:
               6 File(s)             59 bytes
               0 Dir(s)   1,485,537,280 bytes free


The 'real' program is made up of the three files with 
single character names plus the two __init__ files.

b.n.py is a rogue file that breaks a frozen program.

x.py contains "import a.m"

a/m.py contains "import b.n". This is the import that 
goes wrong. When run as a normal script it imports 
b/n.py.

However, a frozen binary appears to search for various 
a.b.* files over sys.path first. If it is run from the 
same directory as a.b.py then it will load that file 
instead. Note that this file is not included in the 
freeze.



----------------------------------------------------------------------

>Comment By: Guido van Rossum (gvanrossum)
Date: 2001-10-18 11:52

Message:
Logged In: YES 
user_id=6380

This is now fixed by patch #416704 which is checked in.

----------------------------------------------------------------------

Comment By: Toby Dickenson (htrd)
Date: 2001-04-17 07:30

Message:
Logged In: YES 
user_id=46460

Fix for this (and several other ways to break a frozen 
program) are in patch #416704 

----------------------------------------------------------------------

Comment By: Guido van Rossum (gvanrossum)
Date: 2001-03-23 10:09

Message:
Logged In: YES 
user_id=6380

Note, I tried this on Linux, and I couldn't reproduce it.  

What Python version were you using?

----------------------------------------------------------------------

Comment By: Guido van Rossum (gvanrossum)
Date: 2001-03-20 11:43

Message:
Logged In: YES 
user_id=6380

I agree this is a bug.

I think there are lots of other ways to break frozen
programs, so I don't think this is a high priority security
bug.

I wish I had more time to research this, but I don't, so
I'll give this a low priority.  If someone submits a patch,
I'd be grateful!

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470