Message 356361 - Python tracker

Message356361

Author	Mekk
Recipients	Mekk, barry, brett.cannon, indygreg
Date	2019-11-11.14:13:24
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1573481606.34.0.0430322805691.issue36128@roundup.psfhosted.org>
In-reply-to

Content
Hmm, I noticed this but accidentally and tried to port https://github.com/pypa/setuptools/issues/1635 to new api. Well: >>> import multiprocessing >>> import sys >>> reader = sys.modules['multiprocessing'].__spec__.loader.get_resource_reader('multiprocessing') >>> reader.open_resource('../../../../etc/passwd') <_io.FileIO name='/usr/lib/python3.7/multiprocessing/../../../../etc/passwd' mode='rb' closefd=True> I suppose this is the case which deserve some thought (originally I faced it when some webapp used pkg_resources to provide static files and used resource api as a way to validate urls impacted by external input). Tested on python 3.7.3, on Ubuntu 19.04.

Content

Hmm, I noticed this but accidentally and tried to port https://github.com/pypa/setuptools/issues/1635 to new api. Well:

>>> import multiprocessing
>>> import sys
>>> reader = sys.modules['multiprocessing'].__spec__.loader.get_resource_reader('multiprocessing')
>>> reader.open_resource('../../../../etc/passwd')
<_io.FileIO name='/usr/lib/python3.7/multiprocessing/../../../../etc/passwd' mode='rb' closefd=True>

I suppose this is the case which deserve some thought (originally I faced it when some webapp used pkg_resources to provide static files and used resource api as a way to validate urls impacted by external input).

Tested on python 3.7.3, on Ubuntu 19.04.

History
Date	User	Action	Args
2019-11-11 14:13:26	Mekk	set	recipients: + Mekk, barry, brett.cannon, indygreg
2019-11-11 14:13:26	Mekk	set	messageid: <1573481606.34.0.0430322805691.issue36128@roundup.psfhosted.org>
2019-11-11 14:13:26	Mekk	link	issue36128 messages
2019-11-11 14:13:24	Mekk	create