34 lines
1.5 KiB
Diff
34 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Steve Dower <steve.dower@python.org>
|
|
Date: Wed, 4 Mar 2026 19:55:52 +0000
|
|
Subject: 00483: CVE-2026-2297
|
|
|
|
Logging Bypass in Legacy .pyc File Handling
|
|
---
|
|
Lib/importlib/_bootstrap_external.py | 2 +-
|
|
.../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst | 2 ++
|
|
2 files changed, 3 insertions(+), 1 deletion(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
|
|
|
|
diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
|
|
index 9b8a8dfc5a..6e4a087a10 100644
|
|
--- a/Lib/importlib/_bootstrap_external.py
|
|
+++ b/Lib/importlib/_bootstrap_external.py
|
|
@@ -1186,7 +1186,7 @@ def get_filename(self, fullname):
|
|
|
|
def get_data(self, path):
|
|
"""Return the data from path as raw bytes."""
|
|
- if isinstance(self, (SourceLoader, ExtensionFileLoader)):
|
|
+ if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
|
|
with _io.open_code(str(path)) as file:
|
|
return file.read()
|
|
else:
|
|
diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
|
|
new file mode 100644
|
|
index 0000000000..dcdb44d4fa
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
|
|
@@ -0,0 +1,2 @@
|
|
+Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
|
|
+:func:`io.open_code` when opening ``.pyc`` files.
|