From 2f30fcf6748ae3baace466a1052787ba2e54fe65 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Sun, 12 Apr 2026 02:10:53 +0200
Subject: [PATCH] [3.13] gh-148337: Document `importlib.resources` security
 model (GH-148340) (#148355)

gh-148337: Document `importlib.resources` security model (GH-148340)
(cherry picked from commit 70b86e7829c42d36c80853ba9bf1da0d8464065b)

Co-authored-by: Stan Ulbrych <stan@python.org>
---
 Doc/library/importlib.resources.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Doc/library/importlib.resources.rst b/Doc/library/importlib.resources.rst
index 7a11f4fe0690..46eab78a22b6 100644
--- a/Doc/library/importlib.resources.rst
+++ b/Doc/library/importlib.resources.rst
@@ -31,6 +31,12 @@ not** have to exist as physical files and directories on the file system:
 for example, a package and its resources can be imported from a zip file using
 :py:mod:`zipimport`.
 
+.. warning::
+
+   :mod:`importlib.resources` follows the same security model as the built-in
+   :func:`open` function. Passing untrusted inputs to the functions
+   in this module is unsafe.
+
 .. note::
 
    This module provides functionality similar to `pkg_resources
-- 
2.47.3