[3.11] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_c...

* gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507)
(cherry picked from commit a51b1b512de1d56b3714b65628a2eae2b07e535e)

Co-authored-by: Steve Dower <steve.dower@python.org>
* Fix docs reference

---------

Co-authored-by: Steve Dower <steve.dower@python.org>

diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
index e53f6acf38fc642f79a744f46d70b8b289ca7be0..588da3c7ad1517e0511d1995dce821b0955cef5c 100644 (file)
--- a/Lib/importlib/_bootstrap_external.py
+++ b/Lib/importlib/_bootstrap_external.py
@@ -1126,7 +1126,7 @@ class FileLoader:
 
     def get_data(self, path):
         """Return the data from path as raw bytes."""
-        if isinstance(self, (SourceLoader, ExtensionFileLoader)):
+        if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
             with _io.open_code(str(path)) as file:
                 return file.read()
         else:

diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
new file mode 100644 (file)
index 0000000..edeb9e6
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
@@ -0,0 +1,2 @@
+Fixes CVE-2026-2297 by ensuring that ``SourcelessFileLoader`` uses
+:func:`io.open_code` when opening ``.pyc`` files.