|
@ -0,0 +1,192 @@ |
|
|
|
|
|
From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: push0ebp <push0ebp@shl-MacBook-Pro.local> |
|
|
|
|
|
Date: Thu, 14 Feb 2019 02:05:46 +0900 |
|
|
|
|
|
Subject: [PATCH 1/6] bpo-35907: Avoid file reading as disallowing the |
|
|
|
|
|
unnecessary URL scheme in urllib |
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
Lib/test/test_urllib.py | 12 ++++++++++++ |
|
|
|
|
|
Lib/urllib.py | 5 ++++- |
|
|
|
|
|
2 files changed, 16 insertions(+), 1 deletion(-) |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
|
|
|
|
|
index 1ce9201c0693..e5f210e62a18 100644
|
|
|
|
|
|
--- a/Lib/test/test_urllib.py
|
|
|
|
|
|
+++ b/Lib/test/test_urllib.py
|
|
|
|
|
|
@@ -1023,6 +1023,18 @@ def open_spam(self, url):
|
|
|
|
|
|
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), |
|
|
|
|
|
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") |
|
|
|
|
|
|
|
|
|
|
|
+ def test_local_file_open(self):
|
|
|
|
|
|
+ class DummyURLopener(urllib.URLopener):
|
|
|
|
|
|
+ def open_local_file(self, url):
|
|
|
|
|
|
+ return url
|
|
|
|
|
|
+ self.assertEqual(DummyURLopener().open(
|
|
|
|
|
|
+ 'local-file://example'), '//example')
|
|
|
|
|
|
+ self.assertEqual(DummyURLopener().open(
|
|
|
|
|
|
+ 'local_file://example'), '//example')
|
|
|
|
|
|
+ self.assertRaises(IOError, urllib.urlopen,
|
|
|
|
|
|
+ 'local-file://example')
|
|
|
|
|
|
+ self.assertRaises(IOError, urllib.urlopen,
|
|
|
|
|
|
+ 'local_file://example')
|
|
|
|
|
|
|
|
|
|
|
|
# Just commented them out. |
|
|
|
|
|
# Can't really tell why keep failing in windows and sparc. |
|
|
|
|
|
diff --git a/Lib/urllib.py b/Lib/urllib.py
|
|
|
|
|
|
index d85504a5cb7e..a24e9a5c68fb 100644
|
|
|
|
|
|
--- a/Lib/urllib.py
|
|
|
|
|
|
+++ b/Lib/urllib.py
|
|
|
|
|
|
@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
|
|
|
|
|
|
name = 'open_' + urltype |
|
|
|
|
|
self.type = urltype |
|
|
|
|
|
name = name.replace('-', '_') |
|
|
|
|
|
- if not hasattr(self, name):
|
|
|
|
|
|
+
|
|
|
|
|
|
+ # bpo-35907: # disallow the file reading with the type not allowed
|
|
|
|
|
|
+ if not hasattr(self, name) or \
|
|
|
|
|
|
+ (self == _urlopener and name == 'open_local_file'):
|
|
|
|
|
|
if proxy: |
|
|
|
|
|
return self.open_unknown_proxy(proxy, fullurl, data) |
|
|
|
|
|
else: |
|
|
|
|
|
|
|
|
|
|
|
From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: "blurb-it[bot]" <blurb-it[bot]@users.noreply.github.com> |
|
|
|
|
|
Date: Wed, 13 Feb 2019 17:21:11 +0000 |
|
|
|
|
|
Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= |
|
|
|
|
|
=?UTF-8?q?rb=5Fit.?= |
|
|
|
|
|
MIME-Version: 1.0 |
|
|
|
|
|
Content-Type: text/plain; charset=UTF-8 |
|
|
|
|
|
Content-Transfer-Encoding: 8bit |
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
.../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 + |
|
|
|
|
|
1 file changed, 1 insertion(+) |
|
|
|
|
|
create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
|
|
|
|
|
new file mode 100644 |
|
|
|
|
|
index 000000000000..8118a5f40583
|
|
|
|
|
|
--- /dev/null
|
|
|
|
|
|
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
|
|
|
|
|
@@ -0,0 +1 @@
|
|
|
|
|
|
+Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
|
|
|
|
|
|
\ No newline at end of file |
|
|
|
|
|
|
|
|
|
|
|
From f20a31c7364fecdd3197e0180a5857e23aa15065 Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: SH <push0ebp@gmail.com> |
|
|
|
|
|
Date: Fri, 17 May 2019 02:31:18 +0900 |
|
|
|
|
|
Subject: [PATCH 3/6] Update 2019-02-13-17-21-10.bpo-35907.ckk2zg.rst |
|
|
|
|
|
|
|
|
|
|
|
Add prefix "CVE-2019-9948: " |
|
|
|
|
|
---
|
|
|
|
|
|
.../next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 2 +- |
|
|
|
|
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
|
|
|
|
|
index 8118a5f40583..bb187d8d65a5 100644
|
|
|
|
|
|
--- a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
|
|
|
|
|
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
|
|
|
|
|
|
@@ -1 +1 @@
|
|
|
|
|
|
-Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
|
|
|
|
|
|
\ No newline at end of file |
|
|
|
|
|
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
|
|
|
|
|
|
|
|
|
|
|
|
From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: Sihoon Lee <push0ebp@gmail.com> |
|
|
|
|
|
Date: Fri, 17 May 2019 02:41:06 +0900 |
|
|
|
|
|
Subject: [PATCH 4/6] Update test_urllib.py and urllib.py\nchange assertEqual |
|
|
|
|
|
into assertRasies in DummyURLopener test, and simplify mitigation |
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
Lib/test/test_urllib.py | 11 +++-------- |
|
|
|
|
|
Lib/urllib.py | 4 ++-- |
|
|
|
|
|
2 files changed, 5 insertions(+), 10 deletions(-) |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
|
|
|
|
|
index e5f210e62a18..1e23dfb0bb16 100644
|
|
|
|
|
|
--- a/Lib/test/test_urllib.py
|
|
|
|
|
|
+++ b/Lib/test/test_urllib.py
|
|
|
|
|
|
@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
|
|
|
|
|
|
class DummyURLopener(urllib.URLopener): |
|
|
|
|
|
def open_local_file(self, url): |
|
|
|
|
|
return url |
|
|
|
|
|
- self.assertEqual(DummyURLopener().open(
|
|
|
|
|
|
- 'local-file://example'), '//example')
|
|
|
|
|
|
- self.assertEqual(DummyURLopener().open(
|
|
|
|
|
|
- 'local_file://example'), '//example')
|
|
|
|
|
|
- self.assertRaises(IOError, urllib.urlopen,
|
|
|
|
|
|
- 'local-file://example')
|
|
|
|
|
|
- self.assertRaises(IOError, urllib.urlopen,
|
|
|
|
|
|
- 'local_file://example')
|
|
|
|
|
|
+ for url in ('local_file://example', 'local-file://example'):
|
|
|
|
|
|
+ self.assertRaises(IOError, DummyURLopener().open, url)
|
|
|
|
|
|
+ self.assertRaises(IOError, urllib.urlopen, url)
|
|
|
|
|
|
|
|
|
|
|
|
# Just commented them out. |
|
|
|
|
|
# Can't really tell why keep failing in windows and sparc. |
|
|
|
|
|
diff --git a/Lib/urllib.py b/Lib/urllib.py
|
|
|
|
|
|
index a24e9a5c68fb..39b834054e9e 100644
|
|
|
|
|
|
--- a/Lib/urllib.py
|
|
|
|
|
|
+++ b/Lib/urllib.py
|
|
|
|
|
|
@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
|
|
|
|
|
|
name = 'open_' + urltype |
|
|
|
|
|
self.type = urltype |
|
|
|
|
|
name = name.replace('-', '_') |
|
|
|
|
|
-
|
|
|
|
|
|
+
|
|
|
|
|
|
# bpo-35907: # disallow the file reading with the type not allowed |
|
|
|
|
|
if not hasattr(self, name) or \ |
|
|
|
|
|
- (self == _urlopener and name == 'open_local_file'):
|
|
|
|
|
|
+ getattr(self, name) == self.open_local_file:
|
|
|
|
|
|
if proxy: |
|
|
|
|
|
return self.open_unknown_proxy(proxy, fullurl, data) |
|
|
|
|
|
else: |
|
|
|
|
|
|
|
|
|
|
|
From 3cda03c00109f9c1ae0df1760ecd60915cef105e Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: SH <push0ebp@gmail.com> |
|
|
|
|
|
Date: Tue, 21 May 2019 22:21:15 +0900 |
|
|
|
|
|
Subject: [PATCH 5/6] Update urllib.py |
|
|
|
|
|
|
|
|
|
|
|
Modify the object to string in check method name. |
|
|
|
|
|
---
|
|
|
|
|
|
Lib/urllib.py | 3 +-- |
|
|
|
|
|
1 file changed, 1 insertion(+), 2 deletions(-) |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Lib/urllib.py b/Lib/urllib.py
|
|
|
|
|
|
index 39b834054e9e..0bf5f4d5a21b 100644
|
|
|
|
|
|
--- a/Lib/urllib.py
|
|
|
|
|
|
+++ b/Lib/urllib.py
|
|
|
|
|
|
@@ -205,8 +205,7 @@ def open(self, fullurl, data=None):
|
|
|
|
|
|
name = name.replace('-', '_') |
|
|
|
|
|
|
|
|
|
|
|
# bpo-35907: # disallow the file reading with the type not allowed |
|
|
|
|
|
- if not hasattr(self, name) or \
|
|
|
|
|
|
- getattr(self, name) == self.open_local_file:
|
|
|
|
|
|
+ if not hasattr(self, name) or name == 'open_local_file':
|
|
|
|
|
|
if proxy: |
|
|
|
|
|
return self.open_unknown_proxy(proxy, fullurl, data) |
|
|
|
|
|
else: |
|
|
|
|
|
|
|
|
|
|
|
From 8b7d7abff8c633e29a8f10bbf9cc7d9e656b0eec Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: SH <push0ebp@gmail.com> |
|
|
|
|
|
Date: Wed, 22 May 2019 03:48:56 +0900 |
|
|
|
|
|
Subject: [PATCH 6/6] Update urllib.py |
|
|
|
|
|
|
|
|
|
|
|
Fix typo |
|
|
|
|
|
---
|
|
|
|
|
|
Lib/urllib.py | 2 +- |
|
|
|
|
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/Lib/urllib.py b/Lib/urllib.py
|
|
|
|
|
|
index 0bf5f4d5a21b..156879dd0a14 100644
|
|
|
|
|
|
--- a/Lib/urllib.py
|
|
|
|
|
|
+++ b/Lib/urllib.py
|
|
|
|
|
|
@@ -204,7 +204,7 @@ def open(self, fullurl, data=None):
|
|
|
|
|
|
self.type = urltype |
|
|
|
|
|
name = name.replace('-', '_') |
|
|
|
|
|
|
|
|
|
|
|
- # bpo-35907: # disallow the file reading with the type not allowed
|
|
|
|
|
|
+ # bpo-35907: disallow the file reading with the type not allowed
|
|
|
|
|
|
if not hasattr(self, name) or name == 'open_local_file': |
|
|
|
|
|
if proxy: |
|
|
|
|
|
return self.open_unknown_proxy(proxy, fullurl, data) |