[Python-bugs-list] [ python-Bugs-404545 ] frozen package import uses wrong files

noreply@sourceforge.net noreply@sourceforge.net
Sun, 24 Nov 2002 12:35:46 -0800


Bugs item #404545, was opened at 2001-02-27 11:18
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470

Category: Python Interpreter Core
Group: None
Status: Closed
Resolution: Fixed
Priority: 2
Submitted By: Toby Dickenson (htrd)
Assigned to: Guido van Rossum (gvanrossum)
Summary: frozen package import uses wrong files

Initial Comment:
In a frozen package, importing a module from 
another package causes the import machinery to try to 
open some curiously named files, before finally finding 
the frozen data.

It is possible to 'break' a frozen program by creating 
a file of that name. The frozen program will try to 
import from it rather than the frozen data.


The following collection of modules demonstrates this 
(also in the attached zip):

 Directory of D:\Projects\import

2001-02-27  08:57                   11 b.n.py
2001-02-27  08:49                   10 x.py
               2 File(s)             21 bytes

 Directory of D:\Projects\import\a

2001-02-27  08:57                   27 m.py
2001-02-27  09:58                    0 __init__.py
               2 File(s)             27 bytes

 Directory of D:\Projects\import\b

2001-02-27  08:56                   11 n.py
2001-02-27  09:58                    0 __init__.py
               2 File(s)             11 bytes

     Total Files Listed:
               6 File(s)             59 bytes
               0 Dir(s)   1,485,537,280 bytes free


The 'real' program is made up of the three files with 
single character names plus the two __init__ files.

b.n.py is a rogue file that breaks a frozen program.

x.py contains "import a.m"

a/m.py contains "import b.n". This is the import that 
goes wrong. When run as a normal script it imports 
b/n.py.

However, a frozen binary appears to search for various 
a.b.* files over sys.path first. If it is run from the 
same directory as a.b.py then it will load that file 
instead. Note that this file is not included in the 
freeze.



----------------------------------------------------------------------

>Comment By: Just van Rossum (jvr)
Date: 2002-11-24 21:35

Message:
Logged In: YES 
user_id=92689

Almost two years later: I just tried this with Toby's patch
removed and can't reproduce this either (on OSX/Darwin).
Looking at find_module() in import.c I don't see how it
could *ever* be reproduced, since the frozen modules list is
always searched first.

The reason I bring this up again is that I currently have
the opposite problem: using extension modules as submodules
of frozen packages is not possible anymore. This goes both
for builtin extensions (dotted name in PyImport_Inittab
entry) as well as for dynamically loaded extension (dotted
name as .so/.pyd filename).

With MacPython we already encountered this problem earlier,
and Jack added an #ifdef macintosh switch, basically
disabling the patch. I'm going to suggest taking the switch
out and revert import.c to the old behavior. Will do so by
reopening patch #416704 unless another way is preferred.

----------------------------------------------------------------------

Comment By: Guido van Rossum (gvanrossum)
Date: 2001-10-18 20:52

Message:
Logged In: YES 
user_id=6380

This is now fixed by patch #416704 which is checked in.

----------------------------------------------------------------------

Comment By: Toby Dickenson (htrd)
Date: 2001-04-17 16:30

Message:
Logged In: YES 
user_id=46460

Fix for this (and several other ways to break a frozen 
program) are in patch #416704 

----------------------------------------------------------------------

Comment By: Guido van Rossum (gvanrossum)
Date: 2001-03-23 19:09

Message:
Logged In: YES 
user_id=6380

Note, I tried this on Linux, and I couldn't reproduce it.  

What Python version were you using?

----------------------------------------------------------------------

Comment By: Guido van Rossum (gvanrossum)
Date: 2001-03-20 20:43

Message:
Logged In: YES 
user_id=6380

I agree this is a bug.

I think there are lots of other ways to break frozen
programs, so I don't think this is a high priority security
bug.

I wish I had more time to research this, but I don't, so
I'll give this a low priority.  If someone submits a patch,
I'd be grateful!

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=404545&group_id=5470