diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch')
| -rw-r--r-- | meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch new file mode 100644 index 0000000000..b267237018 --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch @@ -0,0 +1,55 @@ +From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 +From: Sihoon Lee <push0ebp@gmail.com> +Date: Fri, 17 May 2019 02:41:06 +0900 +Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into + assertRasies in DummyURLopener test, and simplify mitigation + +Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 + +CVE: CVE-2019-9948 + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + Lib/test/test_urllib.py | 11 +++-------- + Lib/urllib.py | 4 ++-- + 2 files changed, 5 insertions(+), 10 deletions(-) + +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index e5f210e62a18..1e23dfb0bb16 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -1027,14 +1027,9 @@ def test_local_file_open(self): + class DummyURLopener(urllib.URLopener): + def open_local_file(self, url): + return url +- self.assertEqual(DummyURLopener().open( +- 'local-file://example'), '//example') +- self.assertEqual(DummyURLopener().open( +- 'local_file://example'), '//example') +- self.assertRaises(IOError, urllib.urlopen, +- 'local-file://example') +- self.assertRaises(IOError, urllib.urlopen, +- 'local_file://example') ++ for url in ('local_file://example', 'local-file://example'): ++ self.assertRaises(IOError, DummyURLopener().open, url) ++ self.assertRaises(IOError, urllib.urlopen, url) + + # Just commented them out. + # Can't really tell why keep failing in windows and sparc. +diff --git a/Lib/urllib.py b/Lib/urllib.py +index a24e9a5c68fb..39b834054e9e 100644 +--- a/Lib/urllib.py ++++ b/Lib/urllib.py +@@ -203,10 +203,10 @@ def open(self, fullurl, data=None): + name = 'open_' + urltype + self.type = urltype + name = name.replace('-', '_') +- ++ + # bpo-35907: # disallow the file reading with the type not allowed + if not hasattr(self, name) or \ +- (self == _urlopener and name == 'open_local_file'): ++ getattr(self, name) == self.open_local_file: + if proxy: + return self.open_unknown_proxy(proxy, fullurl, data) + else: |