Blame - poky/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch - openbmc/openbmc

blob: f4c225d2fcf763af8dd3b357b5630dc7c33a18d9 [file] [log] [blame]

Brad Bishop	15ae250	2019-06-18 21:44:24 -0400	[diff] [blame^]	1	From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
				2	From: push0ebp <push0ebp@shl-MacBook-Pro.local>
				3	Date: Thu, 14 Feb 2019 02:05:46 +0900
				4	Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
				5	URL scheme in urllib
				6
				7	Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
				8
				9	CVE: CVE-2019-9948
				10
				11	Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
				12	---
				13	Lib/test/test_urllib.py \| 12 ++++++++++++
				14	Lib/urllib.py \| 5 ++++-
				15	2 files changed, 16 insertions(+), 1 deletion(-)
				16
				17	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
				18	index 1ce9201c0693..e5f210e62a18 100644
				19	--- a/Lib/test/test_urllib.py
				20	+++ b/Lib/test/test_urllib.py
				21	@@ -1023,6 +1023,18 @@ def open_spam(self, url):
				22	"spam://c:\|windows%/:=&?~#+!$,;'@()*[]\|/path/"),
				23	"//c:\|windows%/:=&?~#+!$,;'@()*[]\|/path/")
				24
				25	+ def test_local_file_open(self):
				26	+ class DummyURLopener(urllib.URLopener):
				27	+ def open_local_file(self, url):
				28	+ return url
				29	+ self.assertEqual(DummyURLopener().open(
				30	+ 'local-file://example'), '//example')
				31	+ self.assertEqual(DummyURLopener().open(
				32	+ 'local_file://example'), '//example')
				33	+ self.assertRaises(IOError, urllib.urlopen,
				34	+ 'local-file://example')
				35	+ self.assertRaises(IOError, urllib.urlopen,
				36	+ 'local_file://example')
				37
				38	# Just commented them out.
				39	# Can't really tell why keep failing in windows and sparc.
				40	diff --git a/Lib/urllib.py b/Lib/urllib.py
				41	index d85504a5cb7e..a24e9a5c68fb 100644
				42	--- a/Lib/urllib.py
				43	+++ b/Lib/urllib.py
				44	@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
				45	name = 'open_' + urltype
				46	self.type = urltype
				47	name = name.replace('-', '_')
				48	- if not hasattr(self, name):
				49	+
				50	+ # bpo-35907: # disallow the file reading with the type not allowed
				51	+ if not hasattr(self, name) or \
				52	+ (self == _urlopener and name == 'open_local_file'):
				53	if proxy:
				54	return self.open_unknown_proxy(proxy, fullurl, data)
				55	else: