Message 394507 - Python tracker (original) (raw)

The preferred API as implemented in Python 3.9 and importlib_resources 1.1 is the files() API. This simpler API returns a Traversable object, a pathlib-like handle to the contents of a package. This approach side-steps the issues described above. In particular, is_resource no longer has a purpose. Path traversal is handled naturally through Traversable.join_path. Resources in subdirectories are now supported.

Parent objects ('..') are allowed, but only incidentally and allowed in the same way as they're allowed for any Python code. That is, one can call files('multiprocessing').joinpath('../../../../etc/passwd'), but that provides no advantage over pathlib.Path('/etc/passwd').

I believe this new API addresses the concerns presented.

Please open a new issue (here or in github.com/python/importlib_resources) if there are further concerns needing attention.