diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2019-06-16 23:17:09 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2019-06-23 23:26:11 +0200 |
| commit | b3eab82f60e8f38863e71a08351a2f1379e19869 (patch) | |
| tree | 337b7ec507feaf7f1b97e60e5464f2be4103c798 | |
| parent | 2c8a395bc0f2e686304991c5732de55520264296 (diff) | |
package/python: add upstream security fix for CVE-2019-9948
Fixes CVE-2019-9948: Unnecessary URL scheme exists to allow file:// reading
file in urllib.
https://bugs.python.org/issue35907
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6522aad76a250e2f59669c7eb3aa1565502db117)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
| -rw-r--r-- | package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch b/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch new file mode 100644 index 0000000000..5ca1433465 --- /dev/null +++ b/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch @@ -0,0 +1,59 @@ +From b15bde8058e821b383d81fcae68b335a752083ca Mon Sep 17 00:00:00 2001 +From: SH <push0ebp@gmail.com> +Date: Wed, 22 May 2019 06:12:23 +0900 +Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme + (GH-11842) + + CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen(). + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + Lib/test/test_urllib.py | 7 +++++++ + Lib/urllib.py | 4 +++- + Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 + + 3 files changed, 11 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst + +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index d7778d4194..ae1f6c0b29 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase): + "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), + "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + ++ def test_local_file_open(self): ++ class DummyURLopener(urllib.URLopener): ++ def open_local_file(self, url): ++ return url ++ for url in ('local_file://example', 'local-file://example'): ++ self.assertRaises(IOError, DummyURLopener().open, url) ++ self.assertRaises(IOError, urllib.urlopen, url) + + # Just commented them out. + # Can't really tell why keep failing in windows and sparc. +diff --git a/Lib/urllib.py b/Lib/urllib.py +index d85504a5cb..156879dd0a 100644 +--- a/Lib/urllib.py ++++ b/Lib/urllib.py +@@ -203,7 +203,9 @@ class URLopener: + name = 'open_' + urltype + self.type = urltype + name = name.replace('-', '_') +- if not hasattr(self, name): ++ ++ # bpo-35907: disallow the file reading with the type not allowed ++ if not hasattr(self, name) or name == 'open_local_file': + if proxy: + return self.open_unknown_proxy(proxy, fullurl, data) + else: +diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst +new file mode 100644 +index 0000000000..bb187d8d65 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst +@@ -0,0 +1 @@ ++CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen +-- +2.11.0 + |