Skip to content

[3.6] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) (GH-13505)#13513

Merged
ned-deily merged 1 commit intopython:3.6from
vstinner:local_file36
May 29, 2019
Merged

[3.6] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) (GH-13505)#13513
ned-deily merged 1 commit intopython:3.6from
vstinner:local_file36

Conversation

@vstinner
Copy link
Copy Markdown
Member

@vstinner vstinner commented May 22, 2019
edited by bedevere-bot
Loading

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH [email protected]
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)

https://bugs.python.org/issue35907

@bedevere-bot bedevere-bot mentioned this pull request May 22, 2019
Merged
@vstinner
Copy link
Copy Markdown
Member Author

vstinner commented May 22, 2019

@tirkarthi: Would you mind to review this backport from 3.7 to 3.6?

tirkarthi
tirkarthi reviewed May 23, 2019
View reviewed changes
@vstinner @push0ebp
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474
0ec4066 
…) (GH-13505)

CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.

Co-Authored-By: SH <[email protected]>
(cherry picked from commit 0c2b6a3)
(cherry picked from commit 34bab21)
@vstinner
Copy link
Copy Markdown
Member Author

vstinner commented May 27, 2019

I updated the NEWS entry and the commit message.

tirkarthi
tirkarthi approved these changes May 27, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@tirkarthi tirkarthi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@ned-deily ned-deily merged commit 4f06dae into python:3.6 May 29, 2019
@vstinner vstinner deleted the local_file36 branch July 15, 2019 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tirkarthi tirkarthi tirkarthi approved these changes

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@vstinner @tirkarthi @ned-deily @the-knights-who-say-ni @bedevere-bot