diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch new file mode 100644 index 0000000000..b267237018 --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 | ||
2 | From: Sihoon Lee <push0ebp@gmail.com> | ||
3 | Date: Fri, 17 May 2019 02:41:06 +0900 | ||
4 | Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into | ||
5 | assertRasies in DummyURLopener test, and simplify mitigation | ||
6 | |||
7 | Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 | ||
8 | |||
9 | CVE: CVE-2019-9948 | ||
10 | |||
11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
12 | --- | ||
13 | Lib/test/test_urllib.py | 11 +++-------- | ||
14 | Lib/urllib.py | 4 ++-- | ||
15 | 2 files changed, 5 insertions(+), 10 deletions(-) | ||
16 | |||
17 | diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py | ||
18 | index e5f210e62a18..1e23dfb0bb16 100644 | ||
19 | --- a/Lib/test/test_urllib.py | ||
20 | +++ b/Lib/test/test_urllib.py | ||
21 | @@ -1027,14 +1027,9 @@ def test_local_file_open(self): | ||
22 | class DummyURLopener(urllib.URLopener): | ||
23 | def open_local_file(self, url): | ||
24 | return url | ||
25 | - self.assertEqual(DummyURLopener().open( | ||
26 | - 'local-file://example'), '//example') | ||
27 | - self.assertEqual(DummyURLopener().open( | ||
28 | - 'local_file://example'), '//example') | ||
29 | - self.assertRaises(IOError, urllib.urlopen, | ||
30 | - 'local-file://example') | ||
31 | - self.assertRaises(IOError, urllib.urlopen, | ||
32 | - 'local_file://example') | ||
33 | + for url in ('local_file://example', 'local-file://example'): | ||
34 | + self.assertRaises(IOError, DummyURLopener().open, url) | ||
35 | + self.assertRaises(IOError, urllib.urlopen, url) | ||
36 | |||
37 | # Just commented them out. | ||
38 | # Can't really tell why keep failing in windows and sparc. | ||
39 | diff --git a/Lib/urllib.py b/Lib/urllib.py | ||
40 | index a24e9a5c68fb..39b834054e9e 100644 | ||
41 | --- a/Lib/urllib.py | ||
42 | +++ b/Lib/urllib.py | ||
43 | @@ -203,10 +203,10 @@ def open(self, fullurl, data=None): | ||
44 | name = 'open_' + urltype | ||
45 | self.type = urltype | ||
46 | name = name.replace('-', '_') | ||
47 | - | ||
48 | + | ||
49 | # bpo-35907: # disallow the file reading with the type not allowed | ||
50 | if not hasattr(self, name) or \ | ||
51 | - (self == _urlopener and name == 'open_local_file'): | ||
52 | + getattr(self, name) == self.open_local_file: | ||
53 | if proxy: | ||
54 | return self.open_unknown_proxy(proxy, fullurl, data) | ||
55 | else: | ||