Message 356361 - Python tracker (original) (raw)

Hmm, I noticed this but accidentally and tried to port https://github.com/pypa/setuptools/issues/1635 to new api. Well:

import multiprocessing import sys reader = sys.modules['multiprocessing'].spec.loader.get_resource_reader('multiprocessing') reader.open_resource('../../../../etc/passwd') <_io.FileIO name='/usr/lib/python3.7/multiprocessing/../../../../etc/passwd' mode='rb' closefd=True>

I suppose this is the case which deserve some thought (originally I faced it when some webapp used pkg_resources to provide static files and used resource api as a way to validate urls impacted by external input).

Tested on python 3.7.3, on Ubuntu 19.04.