Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.7] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) #13505

Merged
merged 1 commit into from May 22, 2019

Conversation

Projects
None yet
4 participants
@vstinner
Copy link
Member

commented May 22, 2019

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH push0ebp@gmail.com
(cherry picked from commit 0c2b6a3)

https://bugs.python.org/issue35907

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3)

@vstinner vstinner force-pushed the vstinner:local_file37 branch from 0bc56a3 to 3fa7251 May 22, 2019

@vstinner vstinner merged commit 34bab21 into python:3.7 May 22, 2019

6 checks passed

Azure Pipelines PR #20190522.109 succeeded
Details
bedevere/issue-number Issue number 35907 found
Details
bedevere/maintenance-branch-pr Valid maintenance branch PR title.
bedevere/news News entry found in Misc/NEWS.d
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@vstinner vstinner deleted the vstinner:local_file37 branch May 22, 2019

@miss-islington

This comment has been minimized.

Copy link

commented May 22, 2019

Thanks @vstinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6.
🐍🍒🤖

vstinner added a commit to vstinner/cpython that referenced this pull request May 22, 2019

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (python…
…GH-13474) (pythonGH-13505)

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)

vstinner added a commit to vstinner/cpython that referenced this pull request May 22, 2019

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (python…
…GH-13474) (pythonGH-13505)

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)
@bedevere-bot

This comment has been minimized.

Copy link

commented May 22, 2019

GH-13513 is a backport of this pull request to the 3.6 branch.

vstinner added a commit to vstinner/cpython that referenced this pull request May 27, 2019

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (python…
…GH-13474) (pythonGH-13505)

CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)

vstinner added a commit to vstinner/cpython that referenced this pull request May 27, 2019

bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (python…
…GH-13474) (pythonGH-13505)

CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.