Issue 15272: pkgutil.find_loader accepts invalid module names

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/59477

classification

Title:	pkgutil.find_loader accepts invalid module names
Type:	behavior	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.6

process

Status:	closed	Resolution:	out of date
Dependencies:		Superseder:
Assigned To:		Nosy List:	Arfrever, brett.cannon, eric.araujo, eric.snow, georg.brandl, ncoghlan
Priority:	normal	Keywords:

Created on 2012-07-07 10:19 by ncoghlan, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (6)
msg164806 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2012-07-07 10:19
The pkgutil import emulation is insane and permits modules identifiers to contain paths. Identified in #15230 (reporting some very surprising behaviour from runpy.run_module).
msg165155 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2012-07-10 03:54
I've taken 3.2 and 2.7 off the list - no doubt someone, somewhere is relying on this particular piece of missing input validation, so it's not worth risking breakage in a point release. I think it's worth fixing for 3.3, though.
msg165499 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2012-07-15 03:45
I'll add a regression test for this as part of my purge of any internal usage of the pkgutil import emulation.
msg165515 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2012-07-15 09:43
OK, this one is trickier than I thought - the exact behaviour depends on how you traverse the code, and I believe a PEP 302 importer is technically allowed to accept "/" in module names. (Unless there's a module names "must be valid identifiers" in there somewhere that I have forgotten about) Punting on it for the moment.
msg165953 - (view)	Author: Brett Cannon (brett.cannon) *	Date: 2012-07-20 17:34
PEP 302 just says that find_module "will be called with the fully qualified name of the module." And importation by file name was removed in Python 3 (at some point; don't remember exact feature release). So supporting slashes in a module name is probably not necessary anymore.
msg275060 - (view)	Author: Eric Snow (eric.snow) *	Date: 2016-09-08 16:40
pkgutil has since been updated to use importlib, meaning it relies on importlib to sort this out.

History
Date	User	Action	Args
2022-04-11 14:57:32	admin	set	github: 59477
2016-09-08 16:40:11	eric.snow	set	status: open -> closed versions: + Python 3.6, - Python 3.3 messages: + msg275060 components: + Library (Lib) resolution: out of date stage: needs patch -> resolved
2012-11-13 04:56:37	eric.snow	set	nosy: + eric.snow
2012-07-20 17:34:00	brett.cannon	set	messages: + msg165953
2012-07-15 09:43:51	ncoghlan	set	assignee: ncoghlan -> messages: + msg165515
2012-07-15 09:33:54	ncoghlan	set	assignee: ncoghlan
2012-07-15 03:45:21	ncoghlan	set	messages: + msg165499
2012-07-11 03:21:02	Arfrever	set	nosy: + Arfrever
2012-07-10 03:54:30	ncoghlan	set	versions: - Python 2.7, Python 3.2 nosy: + georg.brandl messages: + msg165155 type: behavior stage: needs patch
2012-07-07 15:24:22	eric.araujo	set	nosy: + eric.araujo versions: + Python 2.7
2012-07-07 10:19:46	ncoghlan	create