package/python: add upstream security fix for CVE-2019-9948

Fixes CVE-2019-9948: Unnecessary URL scheme exists to allow file:// reading file in urllib. https://bugs.python.org/issue35907 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6522aad76a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-16 23:17:09 +02:00 · 2019-06-16 23:17:09 +02:00 · f977487ef4
commit f977487ef4
parent 5a103c8e52
1 changed files with 59 additions and 0 deletions
--- a/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
+++ b/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
@ -0,0 +1,59 @@
+From b15bde8058e821b383d81fcae68b335a752083ca Mon Sep 17 00:00:00 2001
+From: SH <push0ebp@gmail.com>
+Date: Wed, 22 May 2019 06:12:23 +0900
+Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
+  (GH-11842)
+
+ CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ Lib/test/test_urllib.py                                           | 7 +++++++
+ Lib/urllib.py                                                     | 4 +++-
+ Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index d7778d4194..ae1f6c0b29 100644
+--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
+@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
+             "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
+             "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ 
+    def test_local_file_open(self):
+        class DummyURLopener(urllib.URLopener):
+            def open_local_file(self, url):
+                return url
+        for url in ('local_file://example', 'local-file://example'):
+            self.assertRaises(IOError, DummyURLopener().open, url)
+            self.assertRaises(IOError, urllib.urlopen, url)
+ 
+ # Just commented them out.
+ # Can't really tell why keep failing in windows and sparc.
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+index d85504a5cb..156879dd0a 100644
+--- a/Lib/urllib.py
+++ b/Lib/urllib.py
+@@ -203,7 +203,9 @@ class URLopener:
+         name = 'open_' + urltype
+         self.type = urltype
+         name = name.replace('-', '_')
+-        if not hasattr(self, name):
+
+        # bpo-35907: disallow the file reading with the type not allowed
+        if not hasattr(self, name) or name == 'open_local_file':
+             if proxy:
+                 return self.open_unknown_proxy(proxy, fullurl, data)
+             else:
+diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+new file mode 100644
+index 0000000000..bb187d8d65
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+@@ -0,0 +1 @@
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
+-- 
+2.11.0
+