[openwrt-packages.git] /

From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
From: push0ebp <push0ebp@shl-MacBook-Pro.local>
Date: Thu, 14 Feb 2019 02:05:46 +0900
Subject: [PATCH 1/6] bpo-35907: Avoid file reading as disallowing the
 unnecessary URL scheme in urllib

---
 Lib/test/test_urllib.py | 12 ++++++++++++
 Lib/urllib.py           |  5 ++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 1ce9201c0693..e5f210e62a18 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1023,6 +1023,18 @@ def open_spam(self, url):
             "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
             "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
 
+    def test_local_file_open(self):
+        class DummyURLopener(urllib.URLopener):
+            def open_local_file(self, url):
+                return url
+        self.assertEqual(DummyURLopener().open(
+            'local-file://example'), '//example')
+        self.assertEqual(DummyURLopener().open(
+            'local_file://example'), '//example')
+        self.assertRaises(IOError, urllib.urlopen,
+            'local-file://example')
+        self.assertRaises(IOError, urllib.urlopen,
+            'local_file://example')
 
 # Just commented them out.
 # Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index d85504a5cb7e..a24e9a5c68fb 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
         name = 'open_' + urltype
         self.type = urltype
         name = name.replace('-', '_')
-        if not hasattr(self, name):
+        
+        # bpo-35907: # disallow the file reading with the type not allowed
+        if not hasattr(self, name) or \
+            (self == _urlopener and name == 'open_local_file'):
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else:

From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <blurb-it[bot]@users.noreply.github.com>
Date: Wed, 13 Feb 2019 17:21:11 +0000
Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
 =?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst

diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
new file mode 100644
index 000000000000..8118a5f40583
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
@@ -0,0 +1 @@
+Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
\ No newline at end of file

From f20a31c7364fecdd3197e0180a5857e23aa15065 Mon Sep 17 00:00:00 2001
From: SH <push0ebp@gmail.com>
Date: Fri, 17 May 2019 02:31:18 +0900
Subject: [PATCH 3/6] Update 2019-02-13-17-21-10.bpo-35907.ckk2zg.rst

Add prefix "CVE-2019-9948: "
---
 .../next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
index 8118a5f40583..bb187d8d65a5 100644
--- a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
@@ -1 +1 @@
-Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
\ No newline at end of file
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen

From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
From: Sihoon Lee <push0ebp@gmail.com>
Date: Fri, 17 May 2019 02:41:06 +0900
Subject: [PATCH 4/6] Update test_urllib.py and urllib.py\nchange assertEqual
 into assertRasies in DummyURLopener test, and simplify mitigation

---
 Lib/test/test_urllib.py | 11 +++--------
 Lib/urllib.py           |  4 ++--
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index e5f210e62a18..1e23dfb0bb16 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
         class DummyURLopener(urllib.URLopener):
             def open_local_file(self, url):
                 return url
-        self.assertEqual(DummyURLopener().open(
-            'local-file://example'), '//example')
-        self.assertEqual(DummyURLopener().open(
-            'local_file://example'), '//example')
-        self.assertRaises(IOError, urllib.urlopen,
-            'local-file://example')
-        self.assertRaises(IOError, urllib.urlopen,
-            'local_file://example')
+        for url in ('local_file://example', 'local-file://example'):
+            self.assertRaises(IOError, DummyURLopener().open, url)
+            self.assertRaises(IOError, urllib.urlopen, url)
 
 # Just commented them out.
 # Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index a24e9a5c68fb..39b834054e9e 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
         name = 'open_' + urltype
         self.type = urltype
         name = name.replace('-', '_')
-        
+
         # bpo-35907: # disallow the file reading with the type not allowed
         if not hasattr(self, name) or \
-            (self == _urlopener and name == 'open_local_file'):
+            getattr(self, name) == self.open_local_file:
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else:

From 3cda03c00109f9c1ae0df1760ecd60915cef105e Mon Sep 17 00:00:00 2001
From: SH <push0ebp@gmail.com>
Date: Tue, 21 May 2019 22:21:15 +0900
Subject: [PATCH 5/6] Update urllib.py

Modify the object to string in check method name.
---
 Lib/urllib.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Lib/urllib.py b/Lib/urllib.py
index 39b834054e9e..0bf5f4d5a21b 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -205,8 +205,7 @@ def open(self, fullurl, data=None):
         name = name.replace('-', '_')
 
         # bpo-35907: # disallow the file reading with the type not allowed
-        if not hasattr(self, name) or \
-            getattr(self, name) == self.open_local_file:
+        if not hasattr(self, name) or name == 'open_local_file':
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else:

From 8b7d7abff8c633e29a8f10bbf9cc7d9e656b0eec Mon Sep 17 00:00:00 2001
From: SH <push0ebp@gmail.com>
Date: Wed, 22 May 2019 03:48:56 +0900
Subject: [PATCH 6/6] Update urllib.py

Fix typo
---
 Lib/urllib.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lib/urllib.py b/Lib/urllib.py
index 0bf5f4d5a21b..156879dd0a14 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -204,7 +204,7 @@ def open(self, fullurl, data=None):
         self.type = urltype
         name = name.replace('-', '_')
 
-        # bpo-35907: # disallow the file reading with the type not allowed
+        # bpo-35907: disallow the file reading with the type not allowed
         if not hasattr(self, name) or name == 'open_local_file':
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)