Message103482
FWIW attached is a patch that allows only valid identifiers before calling import_submodule(), and returns silently otherwise (for backwards compatibility).
For the record, the reason that empty strings and some combinations of slashes/dots caused the double import was that they were concatenated to the path, and if the final path was a valid directory and contained an __init__.py it was imported. E.g. __import__('pkg.subpkg', fromlist=['/../.']) ends up looking in "pkg/subpkg//../.". On the surface this seems like a potential directory traversal attack hole, although I couldn't get past 'pkg' by passing '../../../', so I guess there must be other checks before attempting the import. |
|
Date |
User |
Action |
Args |
2010-04-18 11:41:16 | gsakkis | set | recipients:
+ gsakkis, brett.cannon, rhettinger, hauser, eric.araujo, mrts |
2010-04-18 11:41:16 | gsakkis | set | messageid: <1271590876.27.0.823287851841.issue2090@psf.upfronthosting.co.za> |
2010-04-18 11:41:14 | gsakkis | link | issue2090 messages |
2010-04-18 11:41:13 | gsakkis | create | |
|