This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Incorrect authorization check in urllib.request
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8, Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: lukasz.langa, martin.panter, miss-islington, ned.deily, orsenthil, pablogsal, serhiy.storchaka
Priority: Keywords: patch

Created on 2022-02-15 09:48 by serhiy.storchaka, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 31353 merged serhiy.storchaka, 2022-02-15 10:02
PR 31570 merged miss-islington, 2022-02-25 11:31
PR 31571 merged miss-islington, 2022-02-25 11:31
PR 31572 merged miss-islington, 2022-02-25 11:31
PR 31573 merged miss-islington, 2022-02-25 11:31
Messages (12)
msg413280 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2022-02-15 09:48 
There is an error in determining a sub-URI in the urllib.request module. Due to it, if the user is authorized for example.org/foo, it gets also access to example.org/foobar.
msg413363 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2022-02-16 22:04 
Maybe the same as Issue 42766?
msg413976 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2022-02-25 11:30 
Yes, it is the same. I should search before writing a patch.

But for some reasons I prefer my solution over the one proposed in issue42766: The code is clearer and more strict, tests use public API instead of a private method.
msg413978 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2022-02-25 11:31 
New changeset e2e72567a1c94c548868f6ee5329363e6036057a by Serhiy Storchaka in branch 'main':
bpo-46756: Fix authorization check in urllib.request (GH-31353)
https://github.com/python/cpython/commit/e2e72567a1c94c548868f6ee5329363e6036057a
msg413983 - (view) Author: miss-islington (miss-islington) Date: 2022-02-25 11:56 
New changeset 4560c7e605887fda3af63f8ce157abf94954d4d2 by Miss Islington (bot) in branch '3.9':
bpo-46756: Fix authorization check in urllib.request (GH-31353)
https://github.com/python/cpython/commit/4560c7e605887fda3af63f8ce157abf94954d4d2
msg413985 - (view) Author: miss-islington (miss-islington) Date: 2022-02-25 11:57 
New changeset 2b7e04d61274af03426975fe824ed83eca35b035 by Miss Islington (bot) in branch '3.10':
bpo-46756: Fix authorization check in urllib.request (GH-31353)
https://github.com/python/cpython/commit/2b7e04d61274af03426975fe824ed83eca35b035
msg414027 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2022-02-25 17:49 
New changeset 31fef7edf951fb759004c58ae64df18bc32ea376 by Miss Islington (bot) in branch '3.7':
bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31573)
https://github.com/python/cpython/commit/31fef7edf951fb759004c58ae64df18bc32ea376
msg414347 - (view) Author: Pablo Galindo Salgado (pablogsal) * (Python committer) Date: 2022-03-02 13:49 
This is marked as a release blocker so I am holding the alpha release on this. Is there anything we can do to unblock this issue?
msg414350 - (view) Author: Pablo Galindo Salgado (pablogsal) * (Python committer) Date: 2022-03-02 13:50 
Is something left here, it seems that most PRs are landed
msg414351 - (view) Author: Pablo Galindo Salgado (pablogsal) * (Python committer) Date: 2022-03-02 13:50 
New changeset 1c9701a3de0566c085e03dddc14a8508aaae349e by Miss Islington (bot) in branch '3.8':
bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31572)
https://github.com/python/cpython/commit/1c9701a3de0566c085e03dddc14a8508aaae349e
msg414352 - (view) Author: Pablo Galindo Salgado (pablogsal) * (Python committer) Date: 2022-03-02 13:54 
I'm closing this, please reopen if something is missing.
msg414465 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2022-03-03 20:14 
Pablo, we are good. The PRs were merged in open branches a while ago, and this was tracking security releases backports.
History
Date User Action Args
2022-04-11 14:59:56adminsetgithub: 90912
2022-03-03 20:14:46orsenthilsetmessages: + msg414465
2022-03-02 13:54:11pablogsalsetstatus: open -> closed
priority: release blocker ->
messages: + msg414352

resolution: fixed
stage: patch review -> resolved
2022-03-02 13:50:42pablogsalsetmessages: + msg414351
2022-03-02 13:50:17pablogsalsetmessages: + msg414350
2022-03-02 13:49:51pablogsalsetmessages: + msg414347
2022-02-25 17:49:59ned.deilysetmessages: + msg414027
2022-02-25 12:00:31serhiy.storchakalinkissue42766 superseder
2022-02-25 11:57:34miss-islingtonsetmessages: + msg413985
2022-02-25 11:56:23miss-islingtonsetmessages: + msg413983
2022-02-25 11:34:03serhiy.storchakasetpriority: high -> release blocker
nosy: + ned.deily, pablogsal, lukasz.langa
2022-02-25 11:31:24miss-islingtonsetpull_requests: + pull_request29695
2022-02-25 11:31:19miss-islingtonsetpull_requests: + pull_request29694
2022-02-25 11:31:15miss-islingtonsetpull_requests: + pull_request29693
2022-02-25 11:31:12miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request29692
2022-02-25 11:31:09serhiy.storchakasetmessages: + msg413978
2022-02-25 11:30:32serhiy.storchakasetmessages: + msg413976
2022-02-16 22:04:34martin.pantersetnosy: + martin.panter
messages: + msg413363
2022-02-15 10:03:29serhiy.storchakasettitle: Incorrect -> Incorrect authorization check in urllib.request
2022-02-15 10:02:26serhiy.storchakasetkeywords: + patch
stage: patch review
pull_requests: + pull_request29502
2022-02-15 09:48:07serhiy.storchakacreate