diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch new file mode 100644 index 0000000000..f4c225d2fc --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 | ||
2 | From: push0ebp <push0ebp@shl-MacBook-Pro.local> | ||
3 | Date: Thu, 14 Feb 2019 02:05:46 +0900 | ||
4 | Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary | ||
5 | URL scheme in urllib | ||
6 | |||
7 | Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 | ||
8 | |||
9 | CVE: CVE-2019-9948 | ||
10 | |||
11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
12 | --- | ||
13 | Lib/test/test_urllib.py | 12 ++++++++++++ | ||
14 | Lib/urllib.py | 5 ++++- | ||
15 | 2 files changed, 16 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py | ||
18 | index 1ce9201c0693..e5f210e62a18 100644 | ||
19 | --- a/Lib/test/test_urllib.py | ||
20 | +++ b/Lib/test/test_urllib.py | ||
21 | @@ -1023,6 +1023,18 @@ def open_spam(self, url): | ||
22 | "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), | ||
23 | "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") | ||
24 | |||
25 | + def test_local_file_open(self): | ||
26 | + class DummyURLopener(urllib.URLopener): | ||
27 | + def open_local_file(self, url): | ||
28 | + return url | ||
29 | + self.assertEqual(DummyURLopener().open( | ||
30 | + 'local-file://example'), '//example') | ||
31 | + self.assertEqual(DummyURLopener().open( | ||
32 | + 'local_file://example'), '//example') | ||
33 | + self.assertRaises(IOError, urllib.urlopen, | ||
34 | + 'local-file://example') | ||
35 | + self.assertRaises(IOError, urllib.urlopen, | ||
36 | + 'local_file://example') | ||
37 | |||
38 | # Just commented them out. | ||
39 | # Can't really tell why keep failing in windows and sparc. | ||
40 | diff --git a/Lib/urllib.py b/Lib/urllib.py | ||
41 | index d85504a5cb7e..a24e9a5c68fb 100644 | ||
42 | --- a/Lib/urllib.py | ||
43 | +++ b/Lib/urllib.py | ||
44 | @@ -203,7 +203,10 @@ def open(self, fullurl, data=None): | ||
45 | name = 'open_' + urltype | ||
46 | self.type = urltype | ||
47 | name = name.replace('-', '_') | ||
48 | - if not hasattr(self, name): | ||
49 | + | ||
50 | + # bpo-35907: # disallow the file reading with the type not allowed | ||
51 | + if not hasattr(self, name) or \ | ||
52 | + (self == _urlopener and name == 'open_local_file'): | ||
53 | if proxy: | ||
54 | return self.open_unknown_proxy(proxy, fullurl, data) | ||
55 | else: | ||