]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2ddbd21)
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474)
authorVictor Stinner <victor.stinner@gmail.com>
Wed, 22 May 2019 20:15:01 +0000 (22:15 +0200)
committerGitHub <noreply@github.com>
Wed, 22 May 2019 20:15:01 +0000 (22:15 +0200)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
Lib/test/test_urllib.py patch | blob | history
Lib/urllib/request.py patch | blob | history
Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst [new file with mode: 0644] patch | blob

diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 6b995fef8cb561c996c2e03698b9fcfddb2af4fa..f9b2799d25bfd0eb63efacae5a3c1054c31a504d 100644 (file)
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1481,6 +1481,19 @@ class URLopener_Tests(FakeHTTPMixin, unittest.TestCase):
         filename, _ = urllib.request.URLopener().retrieve(url)
         self.assertEqual(os.path.splitext(filename)[1], ".txt")
 
+    @support.ignore_warnings(category=DeprecationWarning)
+    def test_local_file_open(self):
+        # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
+        class DummyURLopener(urllib.request.URLopener):
+            def open_local_file(self, url):
+                return url
+        for url in ('local_file://example', 'local-file://example'):
+            self.assertRaises(OSError, urllib.request.urlopen, url)
+            self.assertRaises(OSError, urllib.request.URLopener().open, url)
+            self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)
+            self.assertRaises(OSError, DummyURLopener().open, url)
+            self.assertRaises(OSError, DummyURLopener().retrieve, url)
+
 
 # Just commented them out.
 # Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 230ac390abb332acc29cdcd5b05cb2f71598dc00..9b21afb74e6e27e598b699ea5bf2524f4cf69cc4 100644 (file)
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1745,7 +1745,7 @@ class URLopener:
         name = 'open_' + urltype
         self.type = urltype
         name = name.replace('-', '_')
-        if not hasattr(self, name):
+        if not hasattr(self, name) or name == 'open_local_file':
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else:
diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
new file mode 100644 (file)
index 0000000..42aca0b
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
@@ -0,0 +1,2 @@
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in
+``URLopener().open()`` ``URLopener().retrieve()`` of :mod:`urllib.request`.
Unnamed repository; edit this file 'description' to name the repository.