George Sakkis <george.sak...@gmail.com> added the comment:
FWIW attached is a patch that allows only valid identifiers before calling
import_submodule(), and returns silently otherwise (for backwards
compatibility).
For the record, the reason that empty strings and some combinations of
slashes/dots caused the double import was that they were concatenated to the
path, and if the final path was a valid directory and contained an __init__.py
it was imported. E.g. __import__('pkg.subpkg', fromlist=['/../.']) ends up
looking in "pkg/subpkg//../.". On the surface this seems like a potential
directory traversal attack hole, although I couldn't get past 'pkg' by passing
'../../../', so I guess there must be other checks before attempting the import.
----------
keywords: +patch
Added file: http://bugs.python.org/file16971/issue_2090.patch
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue2090>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
