Skip to content

[3.7] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) #13505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 22, 2019
Merged

[3.7] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) #13505

merged 1 commit into from
May 22, 2019

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented May 22, 2019
edited by bedevere-bot
Loading

CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH [email protected]
(cherry picked from commit 0c2b6a3)

https://bugs.python.org/issue35907

@bedevere-bot bedevere-bot mentioned this pull request May 22, 2019
Merged
@vstinner @push0ebp
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474)
3fa7251 
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <[email protected]>
(cherry picked from commit 0c2b6a3)
@vstinner vstinner merged commit 34bab21 into python:3.7 May 22, 2019
@vstinner vstinner deleted the local_file37 branch May 22, 2019 21:28
@miss-islington
Copy link
Contributor

Thanks @vstinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-13513 is a backport of this pull request to the 3.6 branch.

larryhastings pushed a commit that referenced this pull request Jul 14, 2019
@vstinner @push0ebp @larryhastings
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474
4fe82a8 
…) (GH-13505) (#13510)

CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.

Co-Authored-By: SH <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vstinner @miss-islington @bedevere-bot @the-knights-who-say-ni