summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
blob: b2672370186133335175046806b1e1def8f6fb6f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
From: Sihoon Lee <push0ebp@gmail.com>
Date: Fri, 17 May 2019 02:41:06 +0900
Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
 assertRasies in DummyURLopener test, and simplify mitigation

Upstream-Status: Submitted https://github.com/python/cpython/pull/11842

CVE: CVE-2019-9948

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
 Lib/test/test_urllib.py | 11 +++--------
 Lib/urllib.py           |  4 ++--
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index e5f210e62a18..1e23dfb0bb16 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
         class DummyURLopener(urllib.URLopener):
             def open_local_file(self, url):
                 return url
-        self.assertEqual(DummyURLopener().open(
-            'local-file://example'), '//example')
-        self.assertEqual(DummyURLopener().open(
-            'local_file://example'), '//example')
-        self.assertRaises(IOError, urllib.urlopen,
-            'local-file://example')
-        self.assertRaises(IOError, urllib.urlopen,
-            'local_file://example')
+        for url in ('local_file://example', 'local-file://example'):
+            self.assertRaises(IOError, DummyURLopener().open, url)
+            self.assertRaises(IOError, urllib.urlopen, url)
 
 # Just commented them out.
 # Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index a24e9a5c68fb..39b834054e9e 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
         name = 'open_' + urltype
         self.type = urltype
         name = name.replace('-', '_')
-        
+
         # bpo-35907: # disallow the file reading with the type not allowed
         if not hasattr(self, name) or \
-            (self == _urlopener and name == 'open_local_file'):
+            getattr(self, name) == self.open_local_file:
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else: