Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame^] | 1 | From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 |
| 2 | From: push0ebp <push0ebp@shl-MacBook-Pro.local> |
| 3 | Date: Thu, 14 Feb 2019 02:05:46 +0900 |
| 4 | Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary |
| 5 | URL scheme in urllib |
| 6 | |
| 7 | Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 |
| 8 | |
| 9 | CVE: CVE-2019-9948 |
| 10 | |
| 11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> |
| 12 | --- |
| 13 | Lib/test/test_urllib.py | 12 ++++++++++++ |
| 14 | Lib/urllib.py | 5 ++++- |
| 15 | 2 files changed, 16 insertions(+), 1 deletion(-) |
| 16 | |
| 17 | diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py |
| 18 | index 1ce9201c0693..e5f210e62a18 100644 |
| 19 | --- a/Lib/test/test_urllib.py |
| 20 | +++ b/Lib/test/test_urllib.py |
| 21 | @@ -1023,6 +1023,18 @@ def open_spam(self, url): |
| 22 | "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), |
| 23 | "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") |
| 24 | |
| 25 | + def test_local_file_open(self): |
| 26 | + class DummyURLopener(urllib.URLopener): |
| 27 | + def open_local_file(self, url): |
| 28 | + return url |
| 29 | + self.assertEqual(DummyURLopener().open( |
| 30 | + 'local-file://example'), '//example') |
| 31 | + self.assertEqual(DummyURLopener().open( |
| 32 | + 'local_file://example'), '//example') |
| 33 | + self.assertRaises(IOError, urllib.urlopen, |
| 34 | + 'local-file://example') |
| 35 | + self.assertRaises(IOError, urllib.urlopen, |
| 36 | + 'local_file://example') |
| 37 | |
| 38 | # Just commented them out. |
| 39 | # Can't really tell why keep failing in windows and sparc. |
| 40 | diff --git a/Lib/urllib.py b/Lib/urllib.py |
| 41 | index d85504a5cb7e..a24e9a5c68fb 100644 |
| 42 | --- a/Lib/urllib.py |
| 43 | +++ b/Lib/urllib.py |
| 44 | @@ -203,7 +203,10 @@ def open(self, fullurl, data=None): |
| 45 | name = 'open_' + urltype |
| 46 | self.type = urltype |
| 47 | name = name.replace('-', '_') |
| 48 | - if not hasattr(self, name): |
| 49 | + |
| 50 | + # bpo-35907: # disallow the file reading with the type not allowed |
| 51 | + if not hasattr(self, name) or \ |
| 52 | + (self == _urlopener and name == 'open_local_file'): |
| 53 | if proxy: |
| 54 | return self.open_unknown_proxy(proxy, fullurl, data) |
| 55 | else: |