traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bpo-35907: Complete test_urllib.test_local_file_open() (GH-13506) 

Test also URLopener().open(), URLopener().retrieve(), and
DummyURLopener().retrieve().
This commit is contained in:
Victor Stinner 2019-05-22 23:28:03 +02:00 committed by GitHub
parent b15bde8058
commit 942c31dffb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Lib/test/test_urllib.py
View File

@ -1049,12 +1049,16 @@ class URLopener_Tests(unittest.TestCase):
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
def test_local_file_open(self):
# bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
class DummyURLopener(urllib.URLopener):
def open_local_file(self, url):
return url
for url in ('local_file://example', 'local-file://example'):
self.assertRaises(IOError, DummyURLopener().open, url)
self.assertRaises(IOError, urllib.urlopen, url)
self.assertRaises(IOError, urllib.URLopener().open, url)
self.assertRaises(IOError, urllib.URLopener().retrieve, url)
self.assertRaises(IOError, DummyURLopener().open, url)
self.assertRaises(IOError, DummyURLopener().retrieve, url)
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.

4
Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
View File

@ -1 +1,3 @@
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in
:func:`urllib.urlopen`, :meth:`urllib.URLopener.open` and
:meth:`urllib.URLopener.retrieve`.