projects / feed / packages.git / blob
? search:


341201f6781ed7864db5e72b5c77695b36b5260f
[feed/packages.git] /
1 From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
2 From: push0ebp <push0ebp@shl-MacBook-Pro.local>
3 Date: Thu, 14 Feb 2019 02:05:46 +0900
4 Subject: [PATCH 1/6] bpo-35907: Avoid file reading as disallowing the
5 unnecessary URL scheme in urllib
6
7 ---
8 Lib/test/test_urllib.py | 12 ++++++++++++
9 Lib/urllib.py | 5 ++++-
10 2 files changed, 16 insertions(+), 1 deletion(-)
11
12 diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
13 index 1ce9201c0693..e5f210e62a18 100644
14 --- a/Lib/test/test_urllib.py
15 +++ b/Lib/test/test_urllib.py
16 @@ -1023,6 +1023,18 @@ def open_spam(self, url):
17 "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
18 "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
19
20 + def test_local_file_open(self):
21 + class DummyURLopener(urllib.URLopener):
22 + def open_local_file(self, url):
23 + return url
24 + self.assertEqual(DummyURLopener().open(
25 + 'local-file://example'), '//example')
26 + self.assertEqual(DummyURLopener().open(
27 + 'local_file://example'), '//example')
28 + self.assertRaises(IOError, urllib.urlopen,
29 + 'local-file://example')
30 + self.assertRaises(IOError, urllib.urlopen,
31 + 'local_file://example')
32
33 # Just commented them out.
34 # Can't really tell why keep failing in windows and sparc.
35 diff --git a/Lib/urllib.py b/Lib/urllib.py
36 index d85504a5cb7e..a24e9a5c68fb 100644
37 --- a/Lib/urllib.py
38 +++ b/Lib/urllib.py
39 @@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
40 name = 'open_' + urltype
41 self.type = urltype
42 name = name.replace('-', '_')
43 - if not hasattr(self, name):
44 +
45 + # bpo-35907: # disallow the file reading with the type not allowed
46 + if not hasattr(self, name) or \
47 + (self == _urlopener and name == 'open_local_file'):
48 if proxy:
49 return self.open_unknown_proxy(proxy, fullurl, data)
50 else:
51
52 From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001
53 From: "blurb-it[bot]" <blurb-it[bot]@users.noreply.github.com>
54 Date: Wed, 13 Feb 2019 17:21:11 +0000
55 Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
56 =?UTF-8?q?rb=5Fit.?=
57 MIME-Version: 1.0
58 Content-Type: text/plain; charset=UTF-8
59 Content-Transfer-Encoding: 8bit
60
61 ---
62 .../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
63 1 file changed, 1 insertion(+)
64 create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
65
66 diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
67 new file mode 100644
68 index 000000000000..8118a5f40583
69 --- /dev/null
70 +++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
71 @@ -0,0 +1 @@
72 +Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
73 \ No newline at end of file
74
75 From f20a31c7364fecdd3197e0180a5857e23aa15065 Mon Sep 17 00:00:00 2001
76 From: SH <push0ebp@gmail.com>
77 Date: Fri, 17 May 2019 02:31:18 +0900
78 Subject: [PATCH 3/6] Update 2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
79
80 Add prefix "CVE-2019-9948: "
81 ---
82 .../next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 2 +-
83 1 file changed, 1 insertion(+), 1 deletion(-)
84
85 diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
86 index 8118a5f40583..bb187d8d65a5 100644
87 --- a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
88 +++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
89 @@ -1 +1 @@
90 -Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
91 \ No newline at end of file
92 +CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
93
94 From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
95 From: Sihoon Lee <push0ebp@gmail.com>
96 Date: Fri, 17 May 2019 02:41:06 +0900
97 Subject: [PATCH 4/6] Update test_urllib.py and urllib.py\nchange assertEqual
98 into assertRasies in DummyURLopener test, and simplify mitigation
99
100 ---
101 Lib/test/test_urllib.py | 11 +++--------
102 Lib/urllib.py | 4 ++--
103 2 files changed, 5 insertions(+), 10 deletions(-)
104
105 diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
106 index e5f210e62a18..1e23dfb0bb16 100644
107 --- a/Lib/test/test_urllib.py
108 +++ b/Lib/test/test_urllib.py
109 @@ -1027,14 +1027,9 @@ def test_local_file_open(self):
110 class DummyURLopener(urllib.URLopener):
111 def open_local_file(self, url):
112 return url
113 - self.assertEqual(DummyURLopener().open(
114 - 'local-file://example'), '//example')
115 - self.assertEqual(DummyURLopener().open(
116 - 'local_file://example'), '//example')
117 - self.assertRaises(IOError, urllib.urlopen,
118 - 'local-file://example')
119 - self.assertRaises(IOError, urllib.urlopen,
120 - 'local_file://example')
121 + for url in ('local_file://example', 'local-file://example'):
122 + self.assertRaises(IOError, DummyURLopener().open, url)
123 + self.assertRaises(IOError, urllib.urlopen, url)
124
125 # Just commented them out.
126 # Can't really tell why keep failing in windows and sparc.
127 diff --git a/Lib/urllib.py b/Lib/urllib.py
128 index a24e9a5c68fb..39b834054e9e 100644
129 --- a/Lib/urllib.py
130 +++ b/Lib/urllib.py
131 @@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
132 name = 'open_' + urltype
133 self.type = urltype
134 name = name.replace('-', '_')
135 -
136 +
137 # bpo-35907: # disallow the file reading with the type not allowed
138 if not hasattr(self, name) or \
139 - (self == _urlopener and name == 'open_local_file'):
140 + getattr(self, name) == self.open_local_file:
141 if proxy:
142 return self.open_unknown_proxy(proxy, fullurl, data)
143 else:
144
145 From 3cda03c00109f9c1ae0df1760ecd60915cef105e Mon Sep 17 00:00:00 2001
146 From: SH <push0ebp@gmail.com>
147 Date: Tue, 21 May 2019 22:21:15 +0900
148 Subject: [PATCH 5/6] Update urllib.py
149
150 Modify the object to string in check method name.
151 ---
152 Lib/urllib.py | 3 +--
153 1 file changed, 1 insertion(+), 2 deletions(-)
154
155 diff --git a/Lib/urllib.py b/Lib/urllib.py
156 index 39b834054e9e..0bf5f4d5a21b 100644
157 --- a/Lib/urllib.py
158 +++ b/Lib/urllib.py
159 @@ -205,8 +205,7 @@ def open(self, fullurl, data=None):
160 name = name.replace('-', '_')
161
162 # bpo-35907: # disallow the file reading with the type not allowed
163 - if not hasattr(self, name) or \
164 - getattr(self, name) == self.open_local_file:
165 + if not hasattr(self, name) or name == 'open_local_file':
166 if proxy:
167 return self.open_unknown_proxy(proxy, fullurl, data)
168 else:
169
170 From 8b7d7abff8c633e29a8f10bbf9cc7d9e656b0eec Mon Sep 17 00:00:00 2001
171 From: SH <push0ebp@gmail.com>
172 Date: Wed, 22 May 2019 03:48:56 +0900
173 Subject: [PATCH 6/6] Update urllib.py
174
175 Fix typo
176 ---
177 Lib/urllib.py | 2 +-
178 1 file changed, 1 insertion(+), 1 deletion(-)
179
180 diff --git a/Lib/urllib.py b/Lib/urllib.py
181 index 0bf5f4d5a21b..156879dd0a14 100644
182 --- a/Lib/urllib.py
183 +++ b/Lib/urllib.py
184 @@ -204,7 +204,7 @@ def open(self, fullurl, data=None):
185 self.type = urltype
186 name = name.replace('-', '_')
187
188 - # bpo-35907: # disallow the file reading with the type not allowed
189 + # bpo-35907: disallow the file reading with the type not allowed
190 if not hasattr(self, name) or name == 'open_local_file':
191 if proxy:
192 return self.open_unknown_proxy(proxy, fullurl, data)
Mirror of packages feed