53838903fe
These patches address issue: CVE-2019-9948: Unnecessary URL scheme exists to allow local_file:// reading file in urllib Link to Python issue: https://bugs.python.org/issue35907 Issue 35907 is still currently open, waiting for a decision for Python 3.5; these patches for Python 2.7 and 3.7 have been merged. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
76 lines
3.2 KiB
Diff
76 lines
3.2 KiB
Diff
From 3fa72516a390fa8e3552007814e8dc1248686eb5 Mon Sep 17 00:00:00 2001
|
|
From: Victor Stinner <victor.stinner@gmail.com>
|
|
Date: Wed, 22 May 2019 22:15:01 +0200
|
|
Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
|
|
(GH-13474)
|
|
|
|
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
|
|
scheme in URLopener().open() and URLopener().retrieve()
|
|
of urllib.request.
|
|
|
|
Co-Authored-By: SH <push0ebp@gmail.com>
|
|
(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
|
|
---
|
|
Lib/test/test_urllib.py | 18 ++++++++++++++++++
|
|
Lib/urllib/request.py | 2 +-
|
|
.../2019-05-21-23-20-18.bpo-35907.NC_zNK.rst | 2 ++
|
|
3 files changed, 21 insertions(+), 1 deletion(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
|
|
|
|
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
|
index 7214492eca9d..7ec365b928a5 100644
|
|
--- a/Lib/test/test_urllib.py
|
|
+++ b/Lib/test/test_urllib.py
|
|
@@ -16,6 +16,7 @@
|
|
ssl = None
|
|
import sys
|
|
import tempfile
|
|
+import warnings
|
|
from nturl2path import url2pathname, pathname2url
|
|
|
|
from base64 import b64encode
|
|
@@ -1463,6 +1464,23 @@ def open_spam(self, url):
|
|
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
|
|
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
|
|
|
|
+ def test_local_file_open(self):
|
|
+ # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
|
|
+ class DummyURLopener(urllib.request.URLopener):
|
|
+ def open_local_file(self, url):
|
|
+ return url
|
|
+
|
|
+ with warnings.catch_warnings(record=True):
|
|
+ warnings.simplefilter("ignore", DeprecationWarning)
|
|
+
|
|
+ for url in ('local_file://example', 'local-file://example'):
|
|
+ self.assertRaises(OSError, urllib.request.urlopen, url)
|
|
+ self.assertRaises(OSError, urllib.request.URLopener().open, url)
|
|
+ self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)
|
|
+ self.assertRaises(OSError, DummyURLopener().open, url)
|
|
+ self.assertRaises(OSError, DummyURLopener().retrieve, url)
|
|
+
|
|
+
|
|
# Just commented them out.
|
|
# Can't really tell why keep failing in windows and sparc.
|
|
# Everywhere else they work ok, but on those machines, sometimes
|
|
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
|
|
index d38f725d8e9f..37b254862887 100644
|
|
--- a/Lib/urllib/request.py
|
|
+++ b/Lib/urllib/request.py
|
|
@@ -1746,7 +1746,7 @@ def open(self, fullurl, data=None):
|
|
name = 'open_' + urltype
|
|
self.type = urltype
|
|
name = name.replace('-', '_')
|
|
- if not hasattr(self, name):
|
|
+ if not hasattr(self, name) or name == 'open_local_file':
|
|
if proxy:
|
|
return self.open_unknown_proxy(proxy, fullurl, data)
|
|
else:
|
|
diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
|
|
new file mode 100644
|
|
index 000000000000..16adc7a94e2f
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
|
|
@@ -0,0 +1,2 @@
|
|
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in
|
|
+``URLopener().open()`` and ``URLopener().retrieve()`` of :mod:`urllib.request`.
|