[3.14] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_c...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Wed, 4 Mar 2026 20:21:29 +0000 (21:21 +0100)

committer GitHub <noreply@github.com>

Wed, 4 Mar 2026 20:21:29 +0000 (20:21 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Wed, 4 Mar 2026 20:21:29 +0000 (21:21 +0100)
committer GitHub <noreply@github.com>
Wed, 4 Mar 2026 20:21:29 +0000 (20:21 +0000)
diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py

index 95ce14b2c3942ef9b939c18e0a1919d57cd2c2c3..6a828ae75ed34c1fb2148563d4e245dac212a3ca 100644 (file)
--- a/Lib/importlib/_bootstrap_external.py
+++ b/Lib/importlib/_bootstrap_external.py
@@ -946,7 +946,7 @@ class FileLoader:
  
      def get_data(self, path):
          """Return the data from path as raw bytes."""
-        if isinstance(self, (SourceLoader, ExtensionFileLoader)):
+        if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
              with _io.open_code(str(path)) as file:
                  return file.read()
          else:
diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst

new file mode 100644 (file)

index 0000000..dcdb44d
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
@@ -0,0 +1,2 @@
+Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
+:func:`io.open_code` when opening ``.pyc`` files.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Wed, 4 Mar 2026 20:21:29 +0000 (21:21 +0100)
committer	GitHub <noreply@github.com>
	Wed, 4 Mar 2026 20:21:29 +0000 (20:21 +0000)
Lib/importlib/_bootstrap_external.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst	[new file with mode: 0644]	patch \| blob