Skip to content

/cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.6] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) (GH-13505) #13513

Merged
merged 1 commit into from May 29, 2019
Merged

[3.6] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) (GH-13505) #13513

merged 1 commit into from May 29, 2019
+22 −1

Conversation

@vstinner
Copy link
Member

vstinner commented May 22, 2019
edited by bedevere-bot

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH push0ebp@gmail.com
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)

https://bugs.python.org/issue35907
@bedevere-bot bedevere-bot mentioned this pull request May 22, 2019
Merged
@vstinner

This comment has been minimized.

Sign in to view
Copy link
Member Author

vstinner commented May 22, 2019

@tirkarthi: Would you mind to review this backport from 3.7 to 3.6?
@tirkarthi
tirkarthi reviewed May 23, 2019
View changes
Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst Outdated Show resolved Hide resolved
@vstinner
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474
Loading status checks…
0ec4066 
…) (GH-13505)

CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)
@vstinner vstinner force-pushed the vstinner:local_file36 branch from 58e593b to 0ec4066 May 27, 2019
@vstinner

This comment has been minimized.

Sign in to view
Copy link
Member Author

vstinner commented May 27, 2019

I updated the NEWS entry and the commit message.
@tirkarthi
tirkarthi approved these changes May 27, 2019
View changes
Copy link
Contributor

tirkarthi left a comment

LGTM. Thanks.
@ned-deily ned-deily merged commit 4f06dae into python:3.6 May 29, 2019
6 checks passed
6 checks passed
Azure Pipelines PR #20190527.4 succeeded
Details
bedevere/issue-number Issue number 35907 found
Details
bedevere/maintenance-branch-pr Valid maintenance branch PR title.
bedevere/news News entry found in Misc/NEWS.d
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@vstinner vstinner deleted the vstinner:local_file36 branch Jul 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tirkarthi tirkarthi

Assignees
No one assigned
Labels
CLA signed type-security
Projects
None yet
Milestone
No milestone
5 participants
@vstinner @tirkarthi @ned-deily @the-knights-who-say-ni @bedevere-bot
You can’t perform that action at this time.