summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
diff options
context:
space:
mode:
authorMartin Jansa <martin.jansa@gmail.com>2019-05-17 20:16:17 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-27 18:05:18 +0100
commit016a0b830e65cdd71830ddf12fec8ca795b0f264 (patch)
treee628136c17dab595baa452a900dc8a484409c917 /meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
parent81439e7d18ad12b25c67812c5277c24c92c8e3b5 (diff)
downloadpoky-016a0b830e65cdd71830ddf12fec8ca795b0f264.tar.gz
python: add a fix for CVE-2019-9948 and CVE-2019-9636
Source: OpenEmbedded.org MR: 98320, 98319 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python/python_2.7.16.bb?id=9d23b982fa4e0290761b3d15f6959779fed72ad6 ChangeID: e79b6fe3b7b4253bf0d76b029070ae869d5234bd Description: Fixes: CVE-2019-9948 CVE-2019-9636 CVE-2019-9940 is a dup of 9948 per python.org CVE-2019-9947 appears to be a dup of 9940 per https://bugs.python.org/issue30458#msg295067 (From OE-Core rev: e7bdff05da6075efc21c5ac9492b06e481e5a239) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Minor clean up for thud] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch')
-rw-r--r--meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
new file mode 100644
index 0000000000..f4c225d2fc
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
@@ -0,0 +1,55 @@
1From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
2From: push0ebp <push0ebp@shl-MacBook-Pro.local>
3Date: Thu, 14 Feb 2019 02:05:46 +0900
4Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
5 URL scheme in urllib
6
7Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
8
9CVE: CVE-2019-9948
10
11Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
12---
13 Lib/test/test_urllib.py | 12 ++++++++++++
14 Lib/urllib.py | 5 ++++-
15 2 files changed, 16 insertions(+), 1 deletion(-)
16
17diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
18index 1ce9201c0693..e5f210e62a18 100644
19--- a/Lib/test/test_urllib.py
20+++ b/Lib/test/test_urllib.py
21@@ -1023,6 +1023,18 @@ def open_spam(self, url):
22 "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
23 "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
24
25+ def test_local_file_open(self):
26+ class DummyURLopener(urllib.URLopener):
27+ def open_local_file(self, url):
28+ return url
29+ self.assertEqual(DummyURLopener().open(
30+ 'local-file://example'), '//example')
31+ self.assertEqual(DummyURLopener().open(
32+ 'local_file://example'), '//example')
33+ self.assertRaises(IOError, urllib.urlopen,
34+ 'local-file://example')
35+ self.assertRaises(IOError, urllib.urlopen,
36+ 'local_file://example')
37
38 # Just commented them out.
39 # Can't really tell why keep failing in windows and sparc.
40diff --git a/Lib/urllib.py b/Lib/urllib.py
41index d85504a5cb7e..a24e9a5c68fb 100644
42--- a/Lib/urllib.py
43+++ b/Lib/urllib.py
44@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
45 name = 'open_' + urltype
46 self.type = urltype
47 name = name.replace('-', '_')
48- if not hasattr(self, name):
49+
50+ # bpo-35907: # disallow the file reading with the type not allowed
51+ if not hasattr(self, name) or \
52+ (self == _urlopener and name == 'open_local_file'):
53 if proxy:
54 return self.open_unknown_proxy(proxy, fullurl, data)
55 else: