You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 lines
1.6 KiB
37 lines
1.6 KiB
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py |
|
index d2da0f8..7813b9f 100644 |
|
--- a/Lib/test/test_urllib.py |
|
+++ b/Lib/test/test_urllib.py |
|
@@ -872,6 +872,17 @@ class URLopener_Tests(unittest.TestCase): |
|
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), |
|
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") |
|
|
|
+ def test_local_file_open(self): |
|
+ # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme |
|
+ class DummyURLopener(urllib.URLopener): |
|
+ def open_local_file(self, url): |
|
+ return url |
|
+ for url in ('local_file://example', 'local-file://example'): |
|
+ self.assertRaises(IOError, urllib.urlopen, url) |
|
+ self.assertRaises(IOError, urllib.URLopener().open, url) |
|
+ self.assertRaises(IOError, urllib.URLopener().retrieve, url) |
|
+ self.assertRaises(IOError, DummyURLopener().open, url) |
|
+ self.assertRaises(IOError, DummyURLopener().retrieve, url) |
|
|
|
# Just commented them out. |
|
# Can't really tell why keep failing in windows and sparc. |
|
diff --git a/Lib/urllib.py b/Lib/urllib.py |
|
index 2201e3e..71e3637 100644 |
|
--- a/Lib/urllib.py |
|
+++ b/Lib/urllib.py |
|
@@ -198,7 +198,9 @@ class URLopener: |
|
name = 'open_' + urltype |
|
self.type = urltype |
|
name = name.replace('-', '_') |
|
- if not hasattr(self, name): |
|
+ |
|
+ # bpo-35907: disallow the file reading with the type not allowed |
|
+ if not hasattr(self, name) or name == 'open_local_file': |
|
if proxy: |
|
return self.open_unknown_proxy(proxy, fullurl, data) |
|
else:
|
|
|