pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
88ffffeead
python/CVE-2019-9948-avoid_local-file.patch
Matej Cepl 88ffffeead Accepting request 692400 from home:mcepl:branches:devel:languages:python:Factory 
- bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch 
  removing unnecessary (and potentially harmful) URL scheme
  local-file://.

- bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch
  Characters in the netloc attribute that decompose under NFKC
  normalization (as used by the IDNA encoding) into any of ``/``,
  ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the
  URL is decomposed before parsing, or is not a Unicode string,
  no error will be raised.
  Upstream commits e37ef41 and 507bd8c.

- Update to 2.7.16:
  * bugfix-only release: complete list of changes on
    https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst
  * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
    which are fully included in the tarball.
  * Updated patches to apply cleanly:
        CVE-2019-5010-null-defer-x509-cert-DOS.patch
        bpo36160-init-sysconfig_vars.patch
        do-not-use-non-ascii-in-test_ssl.patch
        openssl-111-middlebox-compat.patch
        openssl-111-ssl_options.patch
        python-2.5.1-sqlite.patch
        python-2.6-gettext-plurals.patch
        python-2.7-dirs.patch
        python-2.7.2-fix_date_time_compiler.patch
        python-2.7.4-canonicalize2.patch
        python-2.7.5-multilib.patch
        python-2.7.9-ssl_ca_path.patch

OBS-URL: https://build.opensuse.org/request/show/692400
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=241
2019-04-08 22:40:36 +00:00

74 lines
2.9 KiB
Diff
Raw Blame History

From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
From: push0ebp <push0ebp@shl-MacBook-Pro.local>
Date: Thu, 14 Feb 2019 02:05:46 +0900
Subject: [PATCH 1/2] bpo-35907: Avoid file reading as disallowing the
unnecessary URL scheme in urllib
---
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib.py | 5 ++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 1ce9201c0693..e5f210e62a18 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1023,6 +1023,18 @@ def open_spam(self, url):
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ def test_local_file_open(self):
+ class DummyURLopener(urllib.URLopener):
+ def open_local_file(self, url):
+ return url
+ self.assertEqual(DummyURLopener().open(
+ 'local-file://example'), '//example')
+ self.assertEqual(DummyURLopener().open(
+ 'local_file://example'), '//example')
+ self.assertRaises(IOError, urllib.urlopen,
+ 'local-file://example')
+ self.assertRaises(IOError, urllib.urlopen,
+ 'local_file://example')
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index d85504a5cb7e..a24e9a5c68fb 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
- if not hasattr(self, name):
+
+ # bpo-35907: # disallow the file reading with the type not allowed
+ if not hasattr(self, name) or \
+ (self == _urlopener and name == 'open_local_file'):
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <blurb-it[bot]@users.noreply.github.com>
Date: Wed, 13 Feb 2019 17:21:11 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
=?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
1 file changed, 1 insertion(+)
create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
new file mode 100644
index 000000000000..8118a5f40583
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
@@ -0,0 +1 @@
+Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
\ No newline at end of file
Reference in New Issue View Git Blame Copy Permalink