[issue35907] [security][CVE-2019-9948] Unnecessary URL scheme exists to allow local_file:// reading file in urllib
STINNER Victor
report at bugs.python.org
Mon May 4 12:31:12 EDT 2020
STINNER Victor <vstinner at python.org> added the comment:
> We should whitelist the protocols. The current solution with `getattr` is really fragile. For example, this crashes with a `TypeError`: `URLopener().open("unknown_proxy://test")`
Would you mind to elaborate why do you consider that the solution is incomplete? Your issue doesn't show that Python is vulnerable. TypeError *is* the expected behavior.
Would you prefer another error message? If yes, please open a seperated issue.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35907>
_______________________________________
More information about the Python-bugs-list
mailing list