New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkgutil.find_loader accepts invalid module names #59477
Comments
The pkgutil import emulation is insane and permits modules identifiers to contain paths. Identified in bpo-15230 (reporting some very surprising behaviour from runpy.run_module). |
I've taken 3.2 and 2.7 off the list - no doubt someone, somewhere is relying on this particular piece of missing input validation, so it's not worth risking breakage in a point release. I think it's worth fixing for 3.3, though. |
I'll add a regression test for this as part of my purge of any internal usage of the pkgutil import emulation. |
OK, this one is trickier than I thought - the exact behaviour depends on how you traverse the code, and I believe a PEP-302 importer is technically allowed to accept "/" in module names. (Unless there's a module names "must be valid identifiers" in there somewhere that I have forgotten about) Punting on it for the moment. |
PEP-302 just says that find_module "will be called with the fully qualified name of the module." And importation by file name was removed in Python 3 (at some point; don't remember exact feature release). So supporting slashes in a module name is probably not necessary anymore. |
pkgutil has since been updated to use importlib, meaning it relies on importlib to sort this out. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: