[issue35907] [security][CVE-2019-9948] Unnecessary URL scheme exists to allow file:// reading file in urllib
STINNER Victor
report at bugs.python.org
Mon May 13 10:47:47 EDT 2019
STINNER Victor <vstinner at redhat.com> added the comment:
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose the local_file schema. In Python 3 refuses local_file:// (tested with 3.4 to 3.7).
I'm not sure that I understand well the issue. urllib accepts various scheme by design: HTTP, HTTPS, FTP, FILE, etc.
For example, file:// scheme is legit and works as expected. Python 3 example:
---
import urllib.request
req = urllib.request.Request('file:///etc/passwd')
print(f"URL scheme: {req.type}")
fp = urllib.request.urlopen(req)
print(fp.read()[:30])
fp.close()
---
Output with Python 3:
---
URL scheme: file
b'root:x:0:0:root:/root:/bin/bas'
---
I get a similar output with this Python 2 example:
---
import urllib
req = urllib.urlopen('file:///etc/passwd')
print(req.read()[:30])
req.close()
---
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose the local_file schema.
I understand that Python 2 handles local_file://url as file://url. Ok. But is this a security issue? If you care of security, you ensure that the url scheme is HTTP or HTTPS, not only forbid FILE, no?
I'm asking because of:
Karthikeyan Singaravelan:
> This issue seems to have been assigned CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948) ...
----------
nosy: +vstinner
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35907>
_______________________________________
More information about the Python-bugs-list
mailing list