Incorrect authorization check in urllib.request #90912

serhiy-storchaka · 2022-02-15T09:48:08Z

BPO	46756
Nosy	@orsenthil, @ned-deily, @ambv, @vadmium, @serhiy-storchaka, @pablogsal, @miss-islington
PRs	bpo-46756: Fix authorization check in urllib.request #31353 [3.10] bpo-46756: Fix authorization check in urllib.request (GH-31353) #31570 [3.9] bpo-46756: Fix authorization check in urllib.request (GH-31353) #31571 [3.8] bpo-46756: Fix authorization check in urllib.request (GH-31353) #31572 [3.7] bpo-46756: Fix authorization check in urllib.request (GH-31353) #31573

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2022-03-02.13:54:11.554>
created_at = <Date 2022-02-15.09:48:07.699>
labels = ['type-security', '3.8', '3.9', '3.10', '3.11', '3.7', 'library']
title = 'Incorrect authorization check in urllib.request'
updated_at = <Date 2022-03-03.20:14:46.403>
user = 'https://github.com/serhiy-storchaka'

bugs.python.org fields:

activity = <Date 2022-03-03.20:14:46.403>
actor = 'orsenthil'
assignee = 'none'
closed = True
closed_date = <Date 2022-03-02.13:54:11.554>
closer = 'pablogsal'
components = ['Library (Lib)']
creation = <Date 2022-02-15.09:48:07.699>
creator = 'serhiy.storchaka'
dependencies = []
files = []
hgrepos = []
issue_num = 46756
keywords = ['patch']
message_count = 12.0
messages = ['413280', '413363', '413976', '413978', '413983', '413985', '414027', '414347', '414350', '414351', '414352', '414465']
nosy_count = 7.0
nosy_names = ['orsenthil', 'ned.deily', 'lukasz.langa', 'martin.panter', 'serhiy.storchaka', 'pablogsal', 'miss-islington']
pr_nums = ['31353', '31570', '31571', '31572', '31573']
priority = None
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46756'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']

serhiy-storchaka · 2022-02-15T09:48:08Z

There is an error in determining a sub-URI in the urllib.request module. Due to it, if the user is authorized for example.org/foo, it gets also access to example.org/foobar.

vadmium · 2022-02-16T22:04:34Z

Maybe the same as bpo-42766?

serhiy-storchaka · 2022-02-25T11:30:32Z

Yes, it is the same. I should search before writing a patch.

But for some reasons I prefer my solution over the one proposed in bpo-42766: The code is clearer and more strict, tests use public API instead of a private method.

serhiy-storchaka · 2022-02-25T11:31:10Z

New changeset e2e7256 by Serhiy Storchaka in branch 'main':
bpo-46756: Fix authorization check in urllib.request (GH-31353)
e2e7256

miss-islington · 2022-02-25T11:56:23Z

New changeset 4560c7e by Miss Islington (bot) in branch '3.9':
bpo-46756: Fix authorization check in urllib.request (GH-31353)
4560c7e

miss-islington · 2022-02-25T11:57:34Z

New changeset 2b7e04d by Miss Islington (bot) in branch '3.10':
bpo-46756: Fix authorization check in urllib.request (GH-31353)
2b7e04d

ned-deily · 2022-02-25T17:49:59Z

New changeset 31fef7e by Miss Islington (bot) in branch '3.7':
bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31573)
31fef7e

pablogsal · 2022-03-02T13:49:51Z

This is marked as a release blocker so I am holding the alpha release on this. Is there anything we can do to unblock this issue?

pablogsal · 2022-03-02T13:50:17Z

Is something left here, it seems that most PRs are landed

pablogsal · 2022-03-02T13:50:42Z

New changeset 1c9701a by Miss Islington (bot) in branch '3.8':
bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31572)
1c9701a

pablogsal · 2022-03-02T13:54:12Z

I'm closing this, please reopen if something is missing.

orsenthil · 2022-03-03T20:14:46Z

Pablo, we are good. The PRs were merged in open branches a while ago, and this was tracking security releases backports.

serhiy-storchaka added 3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue labels Feb 15, 2022

serhiy-storchaka changed the title ~~Incorrect~~ Incorrect authorization check in urllib.request Feb 15, 2022

serhiy-storchaka added release-blocker labels Feb 25, 2022

pablogsal closed this as completed Mar 2, 2022

pablogsal removed the release-blocker label Mar 2, 2022

pablogsal closed this as completed Mar 2, 2022

pablogsal removed the release-blocker label Mar 2, 2022

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incorrect authorization check in urllib.request #90912

Incorrect authorization check in urllib.request #90912

serhiy-storchaka commented Feb 15, 2022

serhiy-storchaka commented Feb 15, 2022

vadmium commented Feb 16, 2022

serhiy-storchaka commented Feb 25, 2022

serhiy-storchaka commented Feb 25, 2022

miss-islington commented Feb 25, 2022

miss-islington commented Feb 25, 2022

ned-deily commented Feb 25, 2022

pablogsal commented Mar 2, 2022

pablogsal commented Mar 2, 2022

pablogsal commented Mar 2, 2022

pablogsal commented Mar 2, 2022

orsenthil commented Mar 3, 2022

Incorrect authorization check in urllib.request #90912

Incorrect authorization check in urllib.request #90912

Comments

serhiy-storchaka commented Feb 15, 2022

serhiy-storchaka commented Feb 15, 2022

vadmium commented Feb 16, 2022

serhiy-storchaka commented Feb 25, 2022

serhiy-storchaka commented Feb 25, 2022

miss-islington commented Feb 25, 2022

miss-islington commented Feb 25, 2022

ned-deily commented Feb 25, 2022

pablogsal commented Mar 2, 2022

pablogsal commented Mar 2, 2022

pablogsal commented Mar 2, 2022

pablogsal commented Mar 2, 2022

orsenthil commented Mar 3, 2022