Commit cebe3c0e authored by Matthias Klose's avatar Matthias Klose

* CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema

    (file://).
parent 34c0ec84
python2.7 (2.7.16-2) UNRELEASED; urgency=high
python2.7 (2.7.16-2) unstable; urgency=high
[ Matthias Klose ]
* CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
normalize to separators. Closes: #924073.
* CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
(file://).
[ Dimitri John Ledkov ]
* Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
shouldn't mix and match python2.7 & libssl1.1. LP: #1808476
-- Matthias Klose <doko@debian.org> Sat, 09 Mar 2019 19:44:25 +0100
-- Matthias Klose <doko@debian.org> Sat, 06 Apr 2019 03:42:57 +0200
python2.7 (2.7.16-1) unstable; urgency=medium
......
# DP: Proposed patch for https://bugs.python.org/issue35907
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 1ce9201c0693..e5f210e62a18 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1023,6 +1023,18 @@ def open_spam(self, url):
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ def test_local_file_open(self):
+ class DummyURLopener(urllib.URLopener):
+ def open_local_file(self, url):
+ return url
+ self.assertEqual(DummyURLopener().open(
+ 'local-file://example'), '//example')
+ self.assertEqual(DummyURLopener().open(
+ 'local_file://example'), '//example')
+ self.assertRaises(IOError, urllib.urlopen,
+ 'local-file://example')
+ self.assertRaises(IOError, urllib.urlopen,
+ 'local_file://example')
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index d85504a5cb7e..a24e9a5c68fb 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
- if not hasattr(self, name):
+
+ # bpo-35907: # disallow the file reading with the type not allowed
+ if not hasattr(self, name) or \
+ (self == _urlopener and name == 'open_local_file'):
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
......@@ -72,3 +72,4 @@ local-doc-references.diff
m-i-p-s-r6.diff
multiarch-libc.diff
issue36216.diff
issue35907.diff
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment