Commit b15bde80 authored by SH's avatar SH Committed by Victor Stinner

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842)

 CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
parent bb8071a4
...@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase): ...@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
def test_local_file_open(self):
class DummyURLopener(urllib.URLopener):
def open_local_file(self, url):
return url
for url in ('local_file://example', 'local-file://example'):
self.assertRaises(IOError, DummyURLopener().open, url)
self.assertRaises(IOError, urllib.urlopen, url)
# Just commented them out. # Just commented them out.
# Can't really tell why keep failing in windows and sparc. # Can't really tell why keep failing in windows and sparc.
......
...@@ -203,7 +203,9 @@ class URLopener: ...@@ -203,7 +203,9 @@ class URLopener:
name = 'open_' + urltype name = 'open_' + urltype
self.type = urltype self.type = urltype
name = name.replace('-', '_') name = name.replace('-', '_')
if not hasattr(self, name):
# bpo-35907: disallow the file reading with the type not allowed
if not hasattr(self, name) or name == 'open_local_file':
if proxy: if proxy:
return self.open_unknown_proxy(proxy, fullurl, data) return self.open_unknown_proxy(proxy, fullurl, data)
else: else:
......
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment