Message103482
| Author |
gsakkis |
| Recipients |
brett.cannon, eric.araujo, gsakkis, hauser, mrts, rhettinger |
| Date |
2010年04月18日.11:41:13 |
| SpamBayes Score |
9.620682e-11 |
| Marked as misclassified |
No |
| Message-id |
<1271590876.27.0.823287851841.issue2090@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
FWIW attached is a patch that allows only valid identifiers before calling import_submodule(), and returns silently otherwise (for backwards compatibility).
For the record, the reason that empty strings and some combinations of slashes/dots caused the double import was that they were concatenated to the path, and if the final path was a valid directory and contained an __init__.py it was imported. E.g. __import__('pkg.subpkg', fromlist=['/../.']) ends up looking in "pkg/subpkg//../.". On the surface this seems like a potential directory traversal attack hole, although I couldn't get past 'pkg' by passing '../../../', so I guess there must be other checks before attempting the import. |
|