bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842)

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
b15bde80 · SH · Victor Stinner · bb8071a4 · b15bde80 · b15bde80
Commit b15bde80 authored May 22, 2019 by SH Committed by Victor Stinner May 21, 2019
3 changed files
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
            "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
            "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")

+    def test_local_file_open(self):
+        class DummyURLopener(urllib.URLopener):
+            def open_local_file(self, url):
+                return url
+        for url in ('local_file://example', 'local-file://example'):
+            self.assertRaises(IOError, DummyURLopener().open, url)
+            self.assertRaises(IOError, urllib.urlopen, url)

 # Just commented them out.
 # Can't really tell why keep failing in windows and sparc.

--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,7 +203,9 @@ class URLopener:
        name = 'open_' + urltype
        self.type = urltype
        name = name.replace('-', '_')
-        if not hasattr(self, name):
+
+        # bpo-35907: disallow the file reading with the type not allowed
+        if not hasattr(self, name) or name == 'open_local_file':
            if proxy:
                return self.open_unknown_proxy(proxy, fullurl, data)
            else:

--- a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen