[issue35907] [security][CVE-2019-9948] Unnecessary URL scheme exists to allow file:// reading file in urllib
Christian Heimes
report at bugs.python.org
Mon May 13 10:53:28 EDT 2019
Christian Heimes <lists at cheimes.de> added the comment:
The issue is not about whether "file://" schema or not.
It's about the fact that urllib on Python 2 has two schemas that allow local file access. There is the well-known "file://" schema and there is the implementation artifact "local_file://". A careful, security-minded developer knows about the file:// schema and also knows how to block it. But the "local_file://" schema is a surprising side-effect of the implementation.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35907>
_______________________________________
More information about the Python-bugs-list
mailing list