diff options
| author | Victor Stinner <vstinner@redhat.com> | 2019-05-29 04:30:48 +0200 |
|---|---|---|
| committer | Ned Deily <nad@python.org> | 2019-05-28 22:30:47 -0400 |
| commit | 4f06dae5d8d4400ba38d8502da620f07d4a5696e (patch) | |
| tree | bf6b1888fc9236807585abc228202b1588695680 | |
| parent | 8ab624b17ba656e9af5a79be6af0cf2911a111ba (diff) | |
| download | cpython-git-4f06dae5d8d4400ba38d8502da620f07d4a5696e.tar.gz | |
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13513)
CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
(cherry picked from commit 34bab215596671d0dec2066ae7d7450cd73f638b)
| -rw-r--r-- | Lib/test/test_urllib.py | 18 | ||||
| -rw-r--r-- | Lib/urllib/request.py | 2 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst | 3 |
3 files changed, 22 insertions, 1 deletions
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index 649a5b8157..0061a5297c 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -16,6 +16,7 @@ except ImportError: ssl = None import sys import tempfile +import warnings from nturl2path import url2pathname, pathname2url from base64 import b64encode @@ -1463,6 +1464,23 @@ class URLopener_Tests(unittest.TestCase): "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + def test_local_file_open(self): + # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme + class DummyURLopener(urllib.request.URLopener): + def open_local_file(self, url): + return url + + with warnings.catch_warnings(record=True): + warnings.simplefilter("ignore", DeprecationWarning) + + for url in ('local_file://example', 'local-file://example'): + self.assertRaises(OSError, urllib.request.urlopen, url) + self.assertRaises(OSError, urllib.request.URLopener().open, url) + self.assertRaises(OSError, urllib.request.URLopener().retrieve, url) + self.assertRaises(OSError, DummyURLopener().open, url) + self.assertRaises(OSError, DummyURLopener().retrieve, url) + + # Just commented them out. # Can't really tell why keep failing in windows and sparc. # Everywhere else they work ok, but on those machines, sometimes diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index d28f2f8369..c9945d9518 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -1747,7 +1747,7 @@ class URLopener: name = 'open_' + urltype self.type = urltype name = name.replace('-', '_') - if not hasattr(self, name): + if not hasattr(self, name) or name == 'open_local_file': if proxy: return self.open_unknown_proxy(proxy, fullurl, data) else: diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst new file mode 100644 index 0000000000..37b567a5b6 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst @@ -0,0 +1,3 @@ +CVE-2019-9948: Avoid file reading by disallowing ``local-file://`` and +``local_file://`` URL schemes in ``URLopener().open()`` and +``URLopener().retrieve()`` of :mod:`urllib.request`. |