[Python-checkins] bpo-35907: Complete test_urllib.test_local_file_open() (GH-13506)
Victor Stinner
webhook-mailer at python.org
Wed May 22 17:28:07 EDT 2019
https://github.com/python/cpython/commit/942c31dffbe886ff02e25a319cc3891220b8c641
commit: 942c31dffbe886ff02e25a319cc3891220b8c641
branch: 2.7
author: Victor Stinner <vstinner at redhat.com>
committer: GitHub <noreply at github.com>
date: 2019-05-22T23:28:03+02:00
summary:
bpo-35907: Complete test_urllib.test_local_file_open() (GH-13506)
Test also URLopener().open(), URLopener().retrieve(), and
DummyURLopener().retrieve().
files:
M Lib/test/test_urllib.py
M Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index ae1f6c0b29f0..22b0874a9281 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1049,12 +1049,16 @@ def open_spam(self, url):
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
def test_local_file_open(self):
+ # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
class DummyURLopener(urllib.URLopener):
def open_local_file(self, url):
return url
for url in ('local_file://example', 'local-file://example'):
- self.assertRaises(IOError, DummyURLopener().open, url)
self.assertRaises(IOError, urllib.urlopen, url)
+ self.assertRaises(IOError, urllib.URLopener().open, url)
+ self.assertRaises(IOError, urllib.URLopener().retrieve, url)
+ self.assertRaises(IOError, DummyURLopener().open, url)
+ self.assertRaises(IOError, DummyURLopener().retrieve, url)
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
index bb187d8d65a5..6a448ce6261c 100644
--- a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
@@ -1 +1,3 @@
-CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
+CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in
+:func:`urllib.urlopen`, :meth:`urllib.URLopener.open` and
+:meth:`urllib.URLopener.retrieve`.
More information about the Python-checkins
mailing list