Skip to content
Browse files

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474

…) (GH-13505)

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <>
(cherry picked from commit 0c2b6a3)
  • Loading branch information...
vstinner committed May 22, 2019
1 parent 81c5ec9 commit 34bab215596671d0dec2066ae7d7450cd73f638b
@@ -16,6 +16,7 @@
ssl = None
import sys
import tempfile
import warnings
from nturl2path import url2pathname, pathname2url

from base64 import b64encode
@@ -1463,6 +1464,23 @@ def open_spam(self, url):

def test_local_file_open(self):
# bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
class DummyURLopener(urllib.request.URLopener):
def open_local_file(self, url):
return url

with warnings.catch_warnings(record=True):
warnings.simplefilter("ignore", DeprecationWarning)

for url in ('local_file://example', 'local-file://example'):
self.assertRaises(OSError, urllib.request.urlopen, url)
self.assertRaises(OSError, urllib.request.URLopener().open, url)
self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)
self.assertRaises(OSError, DummyURLopener().open, url)
self.assertRaises(OSError, DummyURLopener().retrieve, url)

# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
# Everywhere else they work ok, but on those machines, sometimes
@@ -1746,7 +1746,7 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
if not hasattr(self, name):
if not hasattr(self, name) or name == 'open_local_file':
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
@@ -0,0 +1,2 @@
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in
``URLopener().open()`` and ``URLopener().retrieve()`` of :mod:`urllib.request`.

0 comments on commit 34bab21

Please sign in to comment.
You can’t perform that action at this time.