[3.10] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (#145516)

miss-islington · zooba · StanFromIreland · web-flow · commit 876858c9f65d · 2026-04-30T22:18:39.000+01:00
* gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (cherry picked from commit a51b1b5) Co-authored-by: Steve Dower <steve.dower@python.org> * Regenerate importlib_external.h * Fix blurb entry The `:cve:` role is not available on this branch. --------- Co-authored-by: Steve Dower <steve.dower@python.org> Co-authored-by: Stan Ulbrych <stan@ulbrych.org> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
@@ -1069,7 +1069,7 @@ def get_filename(self, fullname):
 
     def get_data(self, path):
         """Return the data from path as raw bytes."""
-        if isinstance(self, (SourceLoader, ExtensionFileLoader)):
+        if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
             with _io.open_code(str(path)) as file:
                 return file.read()
         else:
diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
@@ -0,0 +1,2 @@
+Fixes CVE-2026-2297 by ensuring that ``SourcelessFileLoader`` uses
+:func:`io.open_code` when opening ``.pyc`` files.
diff --git a/Python/importlib_external.h b/Python/importlib_external.h

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fixes CVE-2026-2297 by ensuring that ``SourcelessFileLoader`` uses
	`2`	+:func:`io.open_code` when opening ``.pyc`` files.