From: SH Date: Tue, 21 May 2019 21:12:23 +0000 (+0900) Subject: bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842) X-Git-Tag: v2.7.17rc1~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b15bde8058e821b383d81fcae68b335a752083ca;p=thirdparty%2FPython%2Fcpython.git bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842) CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen(). --- diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index d7778d4194f3..ae1f6c0b29f0 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase): "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + def test_local_file_open(self): + class DummyURLopener(urllib.URLopener): + def open_local_file(self, url): + return url + for url in ('local_file://example', 'local-file://example'): + self.assertRaises(IOError, DummyURLopener().open, url) + self.assertRaises(IOError, urllib.urlopen, url) # Just commented them out. # Can't really tell why keep failing in windows and sparc. diff --git a/Lib/urllib.py b/Lib/urllib.py index d85504a5cb7e..156879dd0a14 100644 --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -203,7 +203,9 @@ class URLopener: name = 'open_' + urltype self.type = urltype name = name.replace('-', '_') - if not hasattr(self, name): + + # bpo-35907: disallow the file reading with the type not allowed + if not hasattr(self, name) or name == 'open_local_file': if proxy: return self.open_unknown_proxy(proxy, fullurl, data) else: diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst new file mode 100644 index 000000000000..bb187d8d65a5 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst @@ -0,0 +1 @@ +CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen