60 lines
2.4 KiB
Diff
60 lines
2.4 KiB
Diff
|
From b15bde8058e821b383d81fcae68b335a752083ca Mon Sep 17 00:00:00 2001
|
||
|
From: SH <push0ebp@gmail.com>
|
||
|
Date: Wed, 22 May 2019 06:12:23 +0900
|
||
|
Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
|
||
|
(GH-11842)
|
||
|
|
||
|
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
|
||
|
|
||
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||
|
---
|
||
|
Lib/test/test_urllib.py | 7 +++++++
|
||
|
Lib/urllib.py | 4 +++-
|
||
|
Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
|
||
|
3 files changed, 11 insertions(+), 1 deletion(-)
|
||
|
create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
||
|
|
||
|
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
||
|
index d7778d4194..ae1f6c0b29 100644
|
||
|
--- a/Lib/test/test_urllib.py
|
||
|
+++ b/Lib/test/test_urllib.py
|
||
|
@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
|
||
|
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
|
||
|
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
|
||
|
|
||
|
+ def test_local_file_open(self):
|
||
|
+ class DummyURLopener(urllib.URLopener):
|
||
|
+ def open_local_file(self, url):
|
||
|
+ return url
|
||
|
+ for url in ('local_file://example', 'local-file://example'):
|
||
|
+ self.assertRaises(IOError, DummyURLopener().open, url)
|
||
|
+ self.assertRaises(IOError, urllib.urlopen, url)
|
||
|
|
||
|
# Just commented them out.
|
||
|
# Can't really tell why keep failing in windows and sparc.
|
||
|
diff --git a/Lib/urllib.py b/Lib/urllib.py
|
||
|
index d85504a5cb..156879dd0a 100644
|
||
|
--- a/Lib/urllib.py
|
||
|
+++ b/Lib/urllib.py
|
||
|
@@ -203,7 +203,9 @@ class URLopener:
|
||
|
name = 'open_' + urltype
|
||
|
self.type = urltype
|
||
|
name = name.replace('-', '_')
|
||
|
- if not hasattr(self, name):
|
||
|
+
|
||
|
+ # bpo-35907: disallow the file reading with the type not allowed
|
||
|
+ if not hasattr(self, name) or name == 'open_local_file':
|
||
|
if proxy:
|
||
|
return self.open_unknown_proxy(proxy, fullurl, data)
|
||
|
else:
|
||
|
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
||
|
new file mode 100644
|
||
|
index 0000000000..bb187d8d65
|
||
|
--- /dev/null
|
||
|
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
||
|
@@ -0,0 +1 @@
|
||
|
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
|
||
|
--
|
||
|
2.11.0
|
||
|
|