package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch - buildroot - Git at Google

 From b15bde8058e821b383d81fcae68b335a752083ca Mon Sep 17 00:00:00 2001
 From: SH <push0ebp@gmail.com>
 Date: Wed, 22 May 2019 06:12:23 +0900
 Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
   (GH-11842)

  CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().

 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  Lib/test/test_urllib.py                                           | 7 +++++++
  Lib/urllib.py                                                     | 4 +++-
  Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
  3 files changed, 11 insertions(+), 1 deletion(-)
  create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst

 diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
 index d7778d4194..ae1f6c0b29 100644
 --- a/Lib/test/test_urllib.py
 +++ b/Lib/test/test_urllib.py
 @@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
              "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
              "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")

 +    def test_local_file_open(self):
 +        class DummyURLopener(urllib.URLopener):
 +            def open_local_file(self, url):
 +                return url
 +        for url in ('local_file://example', 'local-file://example'):
 +            self.assertRaises(IOError, DummyURLopener().open, url)
 +            self.assertRaises(IOError, urllib.urlopen, url)

  # Just commented them out.
  # Can't really tell why keep failing in windows and sparc.
 diff --git a/Lib/urllib.py b/Lib/urllib.py
 index d85504a5cb..156879dd0a 100644
 --- a/Lib/urllib.py
 +++ b/Lib/urllib.py
 @@ -203,7 +203,9 @@ class URLopener:
          name = 'open_' + urltype
          self.type = urltype
          name = name.replace('-', '_')
 -        if not hasattr(self, name):
 +
 +        # bpo-35907: disallow the file reading with the type not allowed
 +        if not hasattr(self, name) or name == 'open_local_file':
              if proxy:
                  return self.open_unknown_proxy(proxy, fullurl, data)
              else:
 diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
 new file mode 100644
 index 0000000000..bb187d8d65
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
 @@ -0,0 +1 @@
 +CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
 --
 2.11.0
	From b15bde8058e821b383d81fcae68b335a752083ca Mon Sep 17 00:00:00 2001
	From: SH <push0ebp@gmail.com>
	Date: Wed, 22 May 2019 06:12:23 +0900
	Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
	(GH-11842)

	CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().

	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	---
	Lib/test/test_urllib.py \| 7 +++++++
	Lib/urllib.py \| 4 +++-
	Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst \| 1 +
	3 files changed, 11 insertions(+), 1 deletion(-)
	create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst

	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
	index d7778d4194..ae1f6c0b29 100644
	--- a/Lib/test/test_urllib.py
	+++ b/Lib/test/test_urllib.py
	@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
	"spam://c:\|windows%/:=&?~#+!$,;'@()*[]\|/path/"),
	"//c:\|windows%/:=&?~#+!$,;'@()*[]\|/path/")

	+ def test_local_file_open(self):
	+ class DummyURLopener(urllib.URLopener):
	+ def open_local_file(self, url):
	+ return url
	+ for url in ('local_file://example', 'local-file://example'):
	+ self.assertRaises(IOError, DummyURLopener().open, url)
	+ self.assertRaises(IOError, urllib.urlopen, url)

	# Just commented them out.
	# Can't really tell why keep failing in windows and sparc.
	diff --git a/Lib/urllib.py b/Lib/urllib.py
	index d85504a5cb..156879dd0a 100644
	--- a/Lib/urllib.py
	+++ b/Lib/urllib.py
	@@ -203,7 +203,9 @@ class URLopener:
	name = 'open_' + urltype
	self.type = urltype
	name = name.replace('-', '_')
	- if not hasattr(self, name):
	+
	+ # bpo-35907: disallow the file reading with the type not allowed
	+ if not hasattr(self, name) or name == 'open_local_file':
	if proxy:
	return self.open_unknown_proxy(proxy, fullurl, data)
	else:
	diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
	new file mode 100644
	index 0000000000..bb187d8d65
	--- /dev/null
	+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
	@@ -0,0 +1 @@
	+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
	--
	2.11.0