[Python-checkins] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842)
Victor Stinner
webhook-mailer at python.org
Tue May 21 17:12:45 EDT 2019
https://github.com/python/cpython/commit/b15bde8058e821b383d81fcae68b335a752083ca
commit: b15bde8058e821b383d81fcae68b335a752083ca
branch: 2.7
author: SH <push0ebp at gmail.com>
committer: Victor Stinner <vstinner at redhat.com>
date: 2019-05-21T23:12:23+02:00
summary:
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
files:
A Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
M Lib/test/test_urllib.py
M Lib/urllib.py
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index d7778d4194f3..ae1f6c0b29f0 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1048,6 +1048,13 @@ def open_spam(self, url):
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ def test_local_file_open(self):
+ class DummyURLopener(urllib.URLopener):
+ def open_local_file(self, url):
+ return url
+ for url in ('local_file://example', 'local-file://example'):
+ self.assertRaises(IOError, DummyURLopener().open, url)
+ self.assertRaises(IOError, urllib.urlopen, url)
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index d85504a5cb7e..156879dd0a14 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,7 +203,9 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
- if not hasattr(self, name):
+
+ # bpo-35907: disallow the file reading with the type not allowed
+ if not hasattr(self, name) or name == 'open_local_file':
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
new file mode 100644
index 000000000000..bb187d8d65a5
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
@@ -0,0 +1 @@
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
More information about the Python-checkins
mailing list