Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame^] | 1 | From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 |
| 2 | From: Sihoon Lee <push0ebp@gmail.com> |
| 3 | Date: Fri, 17 May 2019 02:41:06 +0900 |
| 4 | Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into |
| 5 | assertRasies in DummyURLopener test, and simplify mitigation |
| 6 | |
| 7 | Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 |
| 8 | |
| 9 | CVE: CVE-2019-9948 |
| 10 | |
| 11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> |
| 12 | --- |
| 13 | Lib/test/test_urllib.py | 11 +++-------- |
| 14 | Lib/urllib.py | 4 ++-- |
| 15 | 2 files changed, 5 insertions(+), 10 deletions(-) |
| 16 | |
| 17 | diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py |
| 18 | index e5f210e62a18..1e23dfb0bb16 100644 |
| 19 | --- a/Lib/test/test_urllib.py |
| 20 | +++ b/Lib/test/test_urllib.py |
| 21 | @@ -1027,14 +1027,9 @@ def test_local_file_open(self): |
| 22 | class DummyURLopener(urllib.URLopener): |
| 23 | def open_local_file(self, url): |
| 24 | return url |
| 25 | - self.assertEqual(DummyURLopener().open( |
| 26 | - 'local-file://example'), '//example') |
| 27 | - self.assertEqual(DummyURLopener().open( |
| 28 | - 'local_file://example'), '//example') |
| 29 | - self.assertRaises(IOError, urllib.urlopen, |
| 30 | - 'local-file://example') |
| 31 | - self.assertRaises(IOError, urllib.urlopen, |
| 32 | - 'local_file://example') |
| 33 | + for url in ('local_file://example', 'local-file://example'): |
| 34 | + self.assertRaises(IOError, DummyURLopener().open, url) |
| 35 | + self.assertRaises(IOError, urllib.urlopen, url) |
| 36 | |
| 37 | # Just commented them out. |
| 38 | # Can't really tell why keep failing in windows and sparc. |
| 39 | diff --git a/Lib/urllib.py b/Lib/urllib.py |
| 40 | index a24e9a5c68fb..39b834054e9e 100644 |
| 41 | --- a/Lib/urllib.py |
| 42 | +++ b/Lib/urllib.py |
| 43 | @@ -203,10 +203,10 @@ def open(self, fullurl, data=None): |
| 44 | name = 'open_' + urltype |
| 45 | self.type = urltype |
| 46 | name = name.replace('-', '_') |
| 47 | - |
| 48 | + |
| 49 | # bpo-35907: # disallow the file reading with the type not allowed |
| 50 | if not hasattr(self, name) or \ |
| 51 | - (self == _urlopener and name == 'open_local_file'): |
| 52 | + getattr(self, name) == self.open_local_file: |
| 53 | if proxy: |
| 54 | return self.open_unknown_proxy(proxy, fullurl, data) |
| 55 | else: |