Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
python-base.12554
CVE-2019-9948-avoid_local-file.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-9948-avoid_local-file.patch of Package python-base.12554
From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 From: push0ebp <push0ebp@shl-MacBook-Pro.local> Date: Thu, 14 Feb 2019 02:05:46 +0900 Subject: [PATCH 1/2] bpo-35907: Avoid file reading as disallowing the unnecessary URL scheme in urllib --- Lib/test/test_urllib.py | 12 ++++++++++++ Lib/urllib.py | 5 ++++- 2 files changed, 16 insertions(+), 1 deletion(-) --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -1002,6 +1002,18 @@ class URLopener_Tests(unittest.TestCase) "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + def test_local_file_open(self): + class DummyURLopener(urllib.URLopener): + def open_local_file(self, url): + return url + self.assertEqual(DummyURLopener().open( + 'local-file://example'), '//example') + self.assertEqual(DummyURLopener().open( + 'local_file://example'), '//example') + self.assertRaises(IOError, urllib.urlopen, + 'local-file://example') + self.assertRaises(IOError, urllib.urlopen, + 'local_file://example') # Just commented them out. # Can't really tell why keep failing in windows and sparc. --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -203,7 +203,10 @@ class URLopener: name = 'open_' + urltype self.type = urltype name = name.replace('-', '_') - if not hasattr(self, name): + + # bpo-35907: # disallow the file reading with the type not allowed + if not hasattr(self, name) or \ + (self == _urlopener and name == 'open_local_file'): if proxy: return self.open_unknown_proxy(proxy, fullurl, data) else: --- /dev/null +++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst @@ -0,0 +1 @@ +Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor