Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.7] bpo-35907: Avoid file reading as disallowing the unnecessary URL scheme in urllib (GH-11842) #11842

Merged
merged 6 commits into from May 21, 2019
+11 −1
Merged

[2.7] bpo-35907: Avoid file reading as disallowing the unnecessary URL scheme in urllib (GH-11842) #11842

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8f99cc7
bpo-35907: Avoid file reading as disallowing the unnecessary URL sche…
Feb 13, 2019
b863925
📜🤖 Added by blurb_it.
blurb-it[bot] Feb 13, 2019
f20a31c
Update 2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
push0ebp May 16, 2019
179a5f7
Update test_urllib.py and urllib.py\nchange assertEqual into assertRa…
push0ebp May 16, 2019
3cda03c
Update urllib.py
push0ebp May 21, 2019
8b7d7ab
Update urllib.py
push0ebp May 21, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 12 additions & 0 deletions Lib/test/test_urllib.py
View file
Open in desktop
Expand Up @@ -1023,6 +1023,18 @@ def open_spam(self, url):
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")

def test_local_file_open(self):
class DummyURLopener(urllib.URLopener):
def open_local_file(self, url):
return url
self.assertEqual(DummyURLopener().open(
push0ebp marked this conversation as resolved.
Show resolved Hide resolved
'local-file://example'), '//example')
self.assertEqual(DummyURLopener().open(
'local_file://example'), '//example')
self.assertRaises(IOError, urllib.urlopen,
'local-file://example')
self.assertRaises(IOError, urllib.urlopen,
'local_file://example')

# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
Expand Down
5 changes: 4 additions & 1 deletion Lib/urllib.py
View file
Open in desktop
Expand Up @@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
if not hasattr(self, name):

# bpo-35907: # disallow the file reading with the type not allowed
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the # in "# bpo-35907: # disallow ...". Is it a typo?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh Sorry, my mistake. I will correct it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have fixed the typo.

if not hasattr(self, name) or \
(self == _urlopener and name == 'open_local_file'):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please simplify the fix. There is no need to check for _urlopener here. Just block all access to local_file:// schema. We don't need special cases for subclasses or special instances.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it does not check the instance type of self, all of overridden open_local_file method will be blocked.
will be okay?
like this

 self.assertRaises(IOError, DummyURLopener().open
            'local_file://example')
 self.assertRaises(IOError, DummyURLopener().open
            'local-file://example')

I think that it needs to check open_local_file is overridden.
What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it has to expect this test result.

def test_local_file_open(self):
        class DummyURLopener(urllib.URLopener):
            def open_local_file(self, url):
                return url

        class DummyURLopener2(urllib.URLopener):
            def open_test(self, url):
                return url

        opener = DummyURLopener()
        opener2 = DummyURLopener2()

        for url in ('local-file://example', 'local_file://example'):    
            self.assertEqual(opener.open(url), '//example')
            self.assertRaises(IOError, urllib.urlopen, url)
            self.assertRaises(IOError, opener2.open, url)
        self.assertEqual(opener2.open('test://example'), '//example')

but Considering the overriding method and instance type check was complex.
If you have a better idea. let me know.

if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
View file
Open in desktop
@@ -0,0 +1 @@
Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
push0ebp marked this conversation as resolved.
Show resolved Hide resolved