LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15250 Commits
1 Branch
46 MiB
Tree: f6b6fed942
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f6b6fed942'
${ noResults }
openwrt-packages-dist/lang/python/python3/patches/023-bpo-35907-CVE-2019-9948...

76 lines
3.2 KiB
Raw Normal View History

python,python3: Fix CVE-2019-9948 - local_file:// allowed in urllib These patches address issue: CVE-2019-9948: Unnecessary URL scheme exists to allow local_file:// reading file in urllib Link to Python issue: https://bugs.python.org/issue35907 Issue 35907 is still currently open, waiting for a decision for Python 3.5; these patches for Python 2.7 and 3.7 have been merged. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
6 years ago
 
  1. From 3fa72516a390fa8e3552007814e8dc1248686eb5 Mon Sep 17 00:00:00 2001
  2. From: Victor Stinner <victor.stinner@gmail.com>
  3. Date: Wed, 22 May 2019 22:15:01 +0200
  4. Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
  5.  (GH-13474)
  6. 

  7. CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
  8. scheme in URLopener().open() and URLopener().retrieve()
  9. of urllib.request.
  10. 

  11. Co-Authored-By: SH <push0ebp@gmail.com>
  12. (cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
  13. ---

  14.  Lib/test/test_urllib.py                        | 18 ++++++++++++++++++
  15.  Lib/urllib/request.py                          |  2 +-
  16.  .../2019-05-21-23-20-18.bpo-35907.NC_zNK.rst   |  2 ++
  17.  3 files changed, 21 insertions(+), 1 deletion(-)
  18.  create mode 100644 Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
  19. 

  20. diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py

  21. index 7214492eca9d..7ec365b928a5 100644

  22. --- a/Lib/test/test_urllib.py

  23. +++ b/Lib/test/test_urllib.py

  24. @@ -16,6 +16,7 @@

  25.      ssl = None
  26.  import sys
  27.  import tempfile
  28. +import warnings

  29.  from nturl2path import url2pathname, pathname2url
  30.  
  31.  from base64 import b64encode
  32. @@ -1463,6 +1464,23 @@ def open_spam(self, url):

  33.                  "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
  34.                  "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
  35.  
  36. +    def test_local_file_open(self):

  37. +        # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme

  38. +        class DummyURLopener(urllib.request.URLopener):

  39. +            def open_local_file(self, url):

  40. +                return url

  41. +

  42. +        with warnings.catch_warnings(record=True):

  43. +            warnings.simplefilter("ignore", DeprecationWarning)

  44. +

  45. +            for url in ('local_file://example', 'local-file://example'):

  46. +                self.assertRaises(OSError, urllib.request.urlopen, url)

  47. +                self.assertRaises(OSError, urllib.request.URLopener().open, url)

  48. +                self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)

  49. +                self.assertRaises(OSError, DummyURLopener().open, url)

  50. +                self.assertRaises(OSError, DummyURLopener().retrieve, url)

  51. +

  52. +

  53.  # Just commented them out.
  54.  # Can't really tell why keep failing in windows and sparc.
  55.  # Everywhere else they work ok, but on those machines, sometimes
  56. diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py

  57. index d38f725d8e9f..37b254862887 100644

  58. --- a/Lib/urllib/request.py

  59. +++ b/Lib/urllib/request.py

  60. @@ -1746,7 +1746,7 @@ def open(self, fullurl, data=None):

  61.          name = 'open_' + urltype
  62.          self.type = urltype
  63.          name = name.replace('-', '_')
  64. -        if not hasattr(self, name):

  65. +        if not hasattr(self, name) or name == 'open_local_file':

  66.              if proxy:
  67.                  return self.open_unknown_proxy(proxy, fullurl, data)
  68.              else:
  69. diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst

  70. new file mode 100644
  71. index 000000000000..16adc7a94e2f

  72. --- /dev/null

  73. +++ b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst

  74. @@ -0,0 +1,2 @@

  75. +CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in

  76. +``URLopener().open()`` and ``URLopener().retrieve()`` of :mod:`urllib.request`.