From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Wed, 4 Mar 2026 20:21:29 +0000 (+0100) Subject: [3.14] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_c... X-Git-Tag: v3.14.4~208 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86;p=thirdparty%2FPython%2Fcpython.git [3.14] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507)` (cherry picked from commit a51b1b512de1d56b3714b65628a2eae2b07e535e) Co-authored-by: Steve Dower --- diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py index 95ce14b2c394..6a828ae75ed3 100644 --- a/Lib/importlib/_bootstrap_external.py +++ b/Lib/importlib/_bootstrap_external.py @@ -946,7 +946,7 @@ class FileLoader: def get_data(self, path): """Return the data from path as raw bytes.""" - if isinstance(self, (SourceLoader, ExtensionFileLoader)): + if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)): with _io.open_code(str(path)) as file: return file.read() else: diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst new file mode 100644 index 000000000000..dcdb44d4fae4 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst @@ -0,0 +1,2 @@ +Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses +:func:`io.open_code` when opening ``.pyc`` files.