Marcin Kasperski <marcin.kasper...@mekk.waw.pl> added the comment:
Hmm, I noticed this but accidentally and tried to port https://github.com/pypa/setuptools/issues/1635 to new api. Well: >>> import multiprocessing >>> import sys >>> reader = >>> sys.modules['multiprocessing'].__spec__.loader.get_resource_reader('multiprocessing') >>> reader.open_resource('../../../../etc/passwd') <_io.FileIO name='/usr/lib/python3.7/multiprocessing/../../../../etc/passwd' mode='rb' closefd=True> I suppose this is the case which deserve some thought (originally I faced it when some webapp used pkg_resources to provide static files and used resource api as a way to validate urls impacted by external input). Tested on python 3.7.3, on Ubuntu 19.04. ---------- nosy: +Mekk _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36128> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com