New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traceback display code can attempt to open a file named "<stdin>" #43572
Comments
Now, exactly WHY is it looking for a file called This bug has been present since at least 2.3.3 - I strace -e open python
Python 2.5b1 (trunk:47059, Jun 29 2006, 14:26:46)
[GCC 4.1.0 (SUSE Linux)] on linux2
>>> import dismal
open("dismal.so", O_RDONLY) = -1 ENOENT (No
such file or directory)open("dismalmodule.so",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("dismal.py", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("dismal.pyc", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("/home/nmm/Python_2.5/lib/python2.5/dismal.so",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/nmm/Python_2.5/lib/python2.5/<stdin>",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/nmm/Python_2.5/lib/python2.5/plat-linux2/<stdin>",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/nmm/Python_2.5/lib/python2.5/lib-tk/<stdin>",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/nmm/Python_2.5/lib/python2.5/lib-dynload/<stdin>",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/nmm/Python_2.5/lib/python2.5/site-packages/<stdin>",
O_RDONLY) = -1 ENOENT (No such file or directory)
File "<stdin>", line 1, in <module>
ImportError: No module named dismal
>>> |
Logged In: YES It's probably looking for a file named <stdin> because the co_filename >>> import sys
>>> f = sys._getframe(0)
>>> f.f_code.co_filename
'<stdin>' I agree that looking for that file is rather pointless and a bug. |
Confirmed in py3k and trunk. It's also possible to create a file named |
The bug is certainly not catastrophic, but creates ln -s /etc/shadow '<stdin>' or whatever. |
I don't think the security risk exists due to this bug. As Python is searching for various places anyway, an attacker could just symlink one of those places anyway instead of '<stdin>'. |
The problem is not in the import, but when displaying the traceback of the exception. In other words, if you catch the exception, no attempt to open "<stdin>" happens: $ strace -e open ./python
[...]
Python 3.5.0a0 (default:3417a95df7e2, Apr 16 2014, 17:57:12)
[GCC 4.8.1] on linux
[...]
>>>
>>> try: import dismal
... except ImportError: pass
...
>>> |
Also, by construction it will only happen if the import happens under the interpreter prompt (hence the "<stdin>" filename). I honestly don't think this deserves introducing some complication, only to avoid a couple filesystem accesses. |
I was able to reproduce it on 3.8, but I'm confused about where the open is happening because linecache.updatecache tries to avoid this: if not filename or (filename.startswith('<') and filename.endswith('>')):
return [] |
Ok, I'm unconfused now - this is the C version of the traceback, in _Py_DisplaySourceLine, not the traceback.py one that uses linecache. It wouldn't be hard to add the check for "<>" in the filename there. Is there a reason not to do it? |
New changeset f71300c by Irit Katriel in branch 'main': |
Fixed for Python 3.11. Thanks! ✨ 🍰 ✨ |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: