File: CVE-2019-9948.diff

package info (click to toggle)
python3.7 3.7.3-2%2Bdeb10u3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 92,344 kB
  • sloc: python: 547,375; ansic: 419,805; sh: 4,593; cpp: 3,449; makefile: 1,772; asm: 1,602; objc: 761; lisp: 502; pascal: 341; javascript: 313; xml: 76; csh: 21
file content (67 lines) | stat: -rw-r--r-- 2,798 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
From 34bab215596671d0dec2066ae7d7450cd73f638b Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@redhat.com>
Date: Wed, 22 May 2019 23:28:28 +0200
Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
 (GH-13474) (GH-13505)

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
---
 Lib/test/test_urllib.py                        | 18 ++++++++++++++++++
 Lib/urllib/request.py                          |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst

diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 7214492eca9d..7ec365b928a5 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -16,6 +16,7 @@
     ssl = None
 import sys
 import tempfile
+import warnings
 from nturl2path import url2pathname, pathname2url
 
 from base64 import b64encode
@@ -1463,6 +1464,23 @@ def open_spam(self, url):
                 "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
                 "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
 
+    def test_local_file_open(self):
+        # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
+        class DummyURLopener(urllib.request.URLopener):
+            def open_local_file(self, url):
+                return url
+
+        with warnings.catch_warnings(record=True):
+            warnings.simplefilter("ignore", DeprecationWarning)
+
+            for url in ('local_file://example', 'local-file://example'):
+                self.assertRaises(OSError, urllib.request.urlopen, url)
+                self.assertRaises(OSError, urllib.request.URLopener().open, url)
+                self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)
+                self.assertRaises(OSError, DummyURLopener().open, url)
+                self.assertRaises(OSError, DummyURLopener().retrieve, url)
+
+
 # Just commented them out.
 # Can't really tell why keep failing in windows and sparc.
 # Everywhere else they work ok, but on those machines, sometimes
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index d38f725d8e9f..37b254862887 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1746,7 +1746,7 @@ def open(self, fullurl, data=None):
         name = 'open_' + urltype
         self.type = urltype
         name = name.replace('-', '_')
-        if not hasattr(self, name):
+        if not hasattr(self, name) or name == 'open_local_file':
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else: