Blame - poky/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch - openbmc/openbmc

blob: b2672370186133335175046806b1e1def8f6fb6f [file] [log] [blame]

Brad Bishop	15ae250	2019-06-18 21:44:24 -0400	[diff] [blame^]	1	From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
				2	From: Sihoon Lee <push0ebp@gmail.com>
				3	Date: Fri, 17 May 2019 02:41:06 +0900
				4	Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
				5	assertRasies in DummyURLopener test, and simplify mitigation
				6
				7	Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
				8
				9	CVE: CVE-2019-9948
				10
				11	Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
				12	---
				13	Lib/test/test_urllib.py \| 11 +++--------
				14	Lib/urllib.py \| 4 ++--
				15	2 files changed, 5 insertions(+), 10 deletions(-)
				16
				17	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
				18	index e5f210e62a18..1e23dfb0bb16 100644
				19	--- a/Lib/test/test_urllib.py
				20	+++ b/Lib/test/test_urllib.py
				21	@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
				22	class DummyURLopener(urllib.URLopener):
				23	def open_local_file(self, url):
				24	return url
				25	- self.assertEqual(DummyURLopener().open(
				26	- 'local-file://example'), '//example')
				27	- self.assertEqual(DummyURLopener().open(
				28	- 'local_file://example'), '//example')
				29	- self.assertRaises(IOError, urllib.urlopen,
				30	- 'local-file://example')
				31	- self.assertRaises(IOError, urllib.urlopen,
				32	- 'local_file://example')
				33	+ for url in ('local_file://example', 'local-file://example'):
				34	+ self.assertRaises(IOError, DummyURLopener().open, url)
				35	+ self.assertRaises(IOError, urllib.urlopen, url)
				36
				37	# Just commented them out.
				38	# Can't really tell why keep failing in windows and sparc.
				39	diff --git a/Lib/urllib.py b/Lib/urllib.py
				40	index a24e9a5c68fb..39b834054e9e 100644
				41	--- a/Lib/urllib.py
				42	+++ b/Lib/urllib.py
				43	@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
				44	name = 'open_' + urltype
				45	self.type = urltype
				46	name = name.replace('-', '_')
				47	-
				48	+
				49	# bpo-35907: # disallow the file reading with the type not allowed
				50	if not hasattr(self, name) or \
				51	- (self == _urlopener and name == 'open_local_file'):
				52	+ getattr(self, name) == self.open_local_file:
				53	if proxy:
				54	return self.open_unknown_proxy(proxy, fullurl, data)
				55	else: