https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e
commit: a51b1b512de1d56b3714b65628a2eae2b07e535e
branch: main
author: Steve Dower <[email protected]>
committer: zooba <[email protected]>
date: 2026-03-04T19:55:52Z
summary:
gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses
io.open_code (GH-145507)
files:
A Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
M Lib/importlib/_bootstrap_external.py
diff --git a/Lib/importlib/_bootstrap_external.py
b/Lib/importlib/_bootstrap_external.py
index 213190d2098e75..a1cb729efb7fef 100644
--- a/Lib/importlib/_bootstrap_external.py
+++ b/Lib/importlib/_bootstrap_external.py
@@ -918,7 +918,7 @@ def get_filename(self, fullname):
def get_data(self, path):
"""Return the data from path as raw bytes."""
- if isinstance(self, (SourceLoader, ExtensionFileLoader)):
+ if isinstance(self, (SourceLoader, SourcelessFileLoader,
ExtensionFileLoader)):
with _io.open_code(str(path)) as file:
return file.read()
else:
diff --git
a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
new file mode 100644
index 00000000000000..dcdb44d4fae4e5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
@@ -0,0 +1,2 @@
+Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
+:func:`io.open_code` when opening ``.pyc`` files.
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
