python,python3: Fix CVE-2019-9948 - local_file:// allowed in urllib

These patches address issue: CVE-2019-9948: Unnecessary URL scheme exists to allow local_file:// reading file in urllib Link to Python issue: https://bugs.python.org/issue35907 Issue 35907 is still currently open, waiting for a decision for Python 3.5; these patches for Python 2.7 and 3.7 have been merged. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2025-12-19 09:01:22 +00:00 · 2019-06-04 02:41:35 +08:00
parent 15a0606403
commit 53838903fe
4 changed files with 270 additions and 2 deletions
--- a/lang/python/python3/Makefile
+++ b/lang/python/python3/Makefile
@@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION)
 PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)

 PKG_NAME:=python3
-PKG_RELEASE:=12
+PKG_RELEASE:=13
 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)

 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
--- a/lang/python/python3/patches/023-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-scheme-GH-13505.patch
+++ b/lang/python/python3/patches/023-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-scheme-GH-13505.patch
@@ -0,0 +1,76 @@
+From 3fa72516a390fa8e3552007814e8dc1248686eb5 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Wed, 22 May 2019 22:15:01 +0200
+Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
+ (GH-13474)
+
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
+scheme in URLopener().open() and URLopener().retrieve()
+of urllib.request.
+
+Co-Authored-By: SH <push0ebp@gmail.com>
+(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
+---
+ Lib/test/test_urllib.py                        | 18 ++++++++++++++++++
+ Lib/urllib/request.py                          |  2 +-
+ .../2019-05-21-23-20-18.bpo-35907.NC_zNK.rst   |  2 ++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 7214492eca9d..7ec365b928a5 100644
+--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
+@@ -16,6 +16,7 @@
+     ssl = None
+ import sys
+ import tempfile
+import warnings
+ from nturl2path import url2pathname, pathname2url
+ 
+ from base64 import b64encode
+@@ -1463,6 +1464,23 @@ def open_spam(self, url):
+                 "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
+                 "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ 
+    def test_local_file_open(self):
+        # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
+        class DummyURLopener(urllib.request.URLopener):
+            def open_local_file(self, url):
+                return url
+
+        with warnings.catch_warnings(record=True):
+            warnings.simplefilter("ignore", DeprecationWarning)
+
+            for url in ('local_file://example', 'local-file://example'):
+                self.assertRaises(OSError, urllib.request.urlopen, url)
+                self.assertRaises(OSError, urllib.request.URLopener().open, url)
+                self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)
+                self.assertRaises(OSError, DummyURLopener().open, url)
+                self.assertRaises(OSError, DummyURLopener().retrieve, url)
+
+
+ # Just commented them out.
+ # Can't really tell why keep failing in windows and sparc.
+ # Everywhere else they work ok, but on those machines, sometimes
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index d38f725d8e9f..37b254862887 100644
+--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
+@@ -1746,7 +1746,7 @@ def open(self, fullurl, data=None):
+         name = 'open_' + urltype
+         self.type = urltype
+         name = name.replace('-', '_')
+-        if not hasattr(self, name):
+        if not hasattr(self, name) or name == 'open_local_file':
+             if proxy:
+                 return self.open_unknown_proxy(proxy, fullurl, data)
+             else:
+diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
+new file mode 100644
+index 000000000000..16adc7a94e2f
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst
+@@ -0,0 +1,2 @@
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in
+``URLopener().open()`` and ``URLopener().retrieve()`` of :mod:`urllib.request`.