Message356361
Hmm, I noticed this but accidentally and tried to port https://github.com/pypa/setuptools/issues/1635 to new api. Well:
>>> import multiprocessing
>>> import sys
>>> reader = sys.modules['multiprocessing'].__spec__.loader.get_resource_reader('multiprocessing')
>>> reader.open_resource('../../../../etc/passwd')
<_io.FileIO name='/usr/lib/python3.7/multiprocessing/../../../../etc/passwd' mode='rb' closefd=True>
I suppose this is the case which deserve some thought (originally I faced it when some webapp used pkg_resources to provide static files and used resource api as a way to validate urls impacted by external input).
Tested on python 3.7.3, on Ubuntu 19.04. |
|
Date |
User |
Action |
Args |
2019-11-11 14:13:26 | Mekk | set | recipients:
+ Mekk, barry, brett.cannon, indygreg |
2019-11-11 14:13:26 | Mekk | set | messageid: <1573481606.34.0.0430322805691.issue36128@roundup.psfhosted.org> |
2019-11-11 14:13:26 | Mekk | link | issue36128 messages |
2019-11-11 14:13:24 | Mekk | create | |
|