Skip to content

Commit 7614ae8

Browse files
StanFromIrelandmiss-islington
authored andcommitted
gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122)
(cherry picked from commit bcdf231) Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
1 parent 86a67f8 commit 7614ae8

3 files changed

Lines changed: 25 additions & 0 deletions

File tree

Lib/pkgutil.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -635,6 +635,9 @@ def get_data(package, resource):
635635
# signature - an os.path format "filename" starting with the dirname of
636636
# the package's __file__
637637
parts = resource.split('/')
638+
if os.path.isabs(resource) or '..' in parts:
639+
raise ValueError("resource must be a relative path with no "
640+
"parent directory components")
638641
parts.insert(0, os.path.dirname(mod.__file__))
639642
resource_name = os.path.join(*parts)
640643
return loader.get_data(resource_name)

Lib/test/test_pkgutil.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,25 @@ def test_getdata_filesys(self):
5757

5858
del sys.modules[pkg]
5959

60+
def test_getdata_path_traversal(self):
61+
pkg = 'test_getdata_traversal'
62+
63+
# Make a package with some resources
64+
package_dir = os.path.join(self.dirname, pkg)
65+
os.mkdir(package_dir)
66+
# Empty init.py
67+
f = open(os.path.join(package_dir, '__init__.py'), "wb")
68+
f.close()
69+
70+
with self.assertRaises(ValueError):
71+
pkgutil.get_data(pkg, '../../../etc/passwd')
72+
with self.assertRaises(ValueError):
73+
pkgutil.get_data(pkg, 'sub/../../../etc/passwd')
74+
with self.assertRaises(ValueError):
75+
pkgutil.get_data(pkg, os.path.abspath('/etc/passwd'))
76+
77+
del sys.modules[pkg]
78+
6079
def test_getdata_zipfile(self):
6180
zip = 'test_getdata_zipfile.zip'
6281
pkg = 'test_getdata_zipfile'
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
:func:`pkgutil.get_data` now raises rejects *resource* arguments containing the
2+
parent directory components or that is an absolute path.
3+
This addresses :cve:`2026-3479`.

0 commit comments

Comments
 (0)