diff options
| author | Victor Stinner <victor.stinner@gmail.com> | 2019-05-22 20:15:01 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-05-22 20:15:01 (GMT) |
| commit | 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587 (patch) | |
| tree | d43ef81f590349a7e9d5cff0564f7b4667b43f2c | |
| parent | 2ddbd21aec7f0e2f237a1073d3e0b313e673413f (diff) | |
| download | cpython-0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587.zip cpython-0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587.tar.gz cpython-0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587.tar.bz2 | |
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
| -rw-r--r-- | Lib/test/test_urllib.py | 13 | ||||
| -rw-r--r-- | Lib/urllib/request.py | 2 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst | 2 |
3 files changed, 16 insertions, 1 deletions
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index 6b995fe..f9b2799 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -1481,6 +1481,19 @@ class URLopener_Tests(FakeHTTPMixin, unittest.TestCase): filename, _ = urllib.request.URLopener().retrieve(url) self.assertEqual(os.path.splitext(filename)[1], ".txt") + @support.ignore_warnings(category=DeprecationWarning) + def test_local_file_open(self): + # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme + class DummyURLopener(urllib.request.URLopener): + def open_local_file(self, url): + return url + for url in ('local_file://example', 'local-file://example'): + self.assertRaises(OSError, urllib.request.urlopen, url) + self.assertRaises(OSError, urllib.request.URLopener().open, url) + self.assertRaises(OSError, urllib.request.URLopener().retrieve, url) + self.assertRaises(OSError, DummyURLopener().open, url) + self.assertRaises(OSError, DummyURLopener().retrieve, url) + # Just commented them out. # Can't really tell why keep failing in windows and sparc. diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index 230ac39..9b21afb 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -1745,7 +1745,7 @@ class URLopener: name = 'open_' + urltype self.type = urltype name = name.replace('-', '_') - if not hasattr(self, name): + if not hasattr(self, name) or name == 'open_local_file': if proxy: return self.open_unknown_proxy(proxy, fullurl, data) else: diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst new file mode 100644 index 0000000..42aca0b --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst @@ -0,0 +1,2 @@ +CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in +``URLopener().open()`` ``URLopener().retrieve()`` of :mod:`urllib.request`. |