This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Mekk
Recipients Mekk, barry, brett.cannon, indygreg
Date 2019-11-11.14:13:24
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Hmm, I noticed this but accidentally and tried to port to new api. Well:

>>> import multiprocessing
>>> import sys
>>> reader = sys.modules['multiprocessing'].__spec__.loader.get_resource_reader('multiprocessing')
>>> reader.open_resource('../../../../etc/passwd')
<_io.FileIO name='/usr/lib/python3.7/multiprocessing/../../../../etc/passwd' mode='rb' closefd=True>

I suppose this is the case which deserve some thought (originally I faced it when some webapp used pkg_resources to provide static files and used resource api as a way to validate urls impacted by external input).

Tested on python 3.7.3, on Ubuntu 19.04.
Date User Action Args
2019-11-11 14:13:26Mekksetrecipients: + Mekk, barry, brett.cannon, indygreg
2019-11-11 14:13:26Mekksetmessageid: <>
2019-11-11 14:13:26Mekklinkissue36128 messages
2019-11-11 14:13:24Mekkcreate