From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 From: push0ebp Date: Thu, 14 Feb 2019 02:05:46 +0900 Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary URL scheme in urllib Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 CVE: CVE-2019-9948 Signed-off-by: Martin Jansa --- Lib/test/test_urllib.py | 12 ++++++++++++ Lib/urllib.py | 5 ++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index 1ce9201c0693..e5f210e62a18 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -1023,6 +1023,18 @@ def open_spam(self, url): "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + def test_local_file_open(self): + class DummyURLopener(urllib.URLopener): + def open_local_file(self, url): + return url + self.assertEqual(DummyURLopener().open( + 'local-file://example'), '//example') + self.assertEqual(DummyURLopener().open( + 'local_file://example'), '//example') + self.assertRaises(IOError, urllib.urlopen, + 'local-file://example') + self.assertRaises(IOError, urllib.urlopen, + 'local_file://example') # Just commented them out. # Can't really tell why keep failing in windows and sparc. diff --git a/Lib/urllib.py b/Lib/urllib.py index d85504a5cb7e..a24e9a5c68fb 100644 --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -203,7 +203,10 @@ def open(self, fullurl, data=None): name = 'open_' + urltype self.type = urltype name = name.replace('-', '_') - if not hasattr(self, name): + + # bpo-35907: # disallow the file reading with the type not allowed + if not hasattr(self, name) or \ + (self == _urlopener and name == 'open_local_file'): if proxy: return self.open_unknown_proxy(proxy, fullurl, data) else: