From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 From: Sihoon Lee Date: Fri, 17 May 2019 02:41:06 +0900 Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into assertRasies in DummyURLopener test, and simplify mitigation Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 CVE: CVE-2019-9948 Signed-off-by: Martin Jansa --- Lib/test/test_urllib.py | 11 +++-------- Lib/urllib.py | 4 ++-- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index e5f210e62a18..1e23dfb0bb16 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -1027,14 +1027,9 @@ def test_local_file_open(self): class DummyURLopener(urllib.URLopener): def open_local_file(self, url): return url - self.assertEqual(DummyURLopener().open( - 'local-file://example'), '//example') - self.assertEqual(DummyURLopener().open( - 'local_file://example'), '//example') - self.assertRaises(IOError, urllib.urlopen, - 'local-file://example') - self.assertRaises(IOError, urllib.urlopen, - 'local_file://example') + for url in ('local_file://example', 'local-file://example'): + self.assertRaises(IOError, DummyURLopener().open, url) + self.assertRaises(IOError, urllib.urlopen, url) # Just commented them out. # Can't really tell why keep failing in windows and sparc. diff --git a/Lib/urllib.py b/Lib/urllib.py index a24e9a5c68fb..39b834054e9e 100644 --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -203,10 +203,10 @@ def open(self, fullurl, data=None): name = 'open_' + urltype self.type = urltype name = name.replace('-', '_') - + # bpo-35907: # disallow the file reading with the type not allowed if not hasattr(self, name) or \ - (self == _urlopener and name == 'open_local_file'): + getattr(self, name) == self.open_local_file: if proxy: return self.open_unknown_proxy(proxy, fullurl, data) else: