Message342334
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose the local_file schema. In Python 3 refuses local_file:// (tested with 3.4 to 3.7).
I'm not sure that I understand well the issue. urllib accepts various scheme by design: HTTP, HTTPS, FTP, FILE, etc.
For example, file:// scheme is legit and works as expected. Python 3 example:
---
import urllib.request
req = urllib.request.Request('file:///etc/passwd')
print(f"URL scheme: {req.type}")
fp = urllib.request.urlopen(req)
print(fp.read()[:30])
fp.close()
---
Output with Python 3:
---
URL scheme: file
b'root:x:0:0:root:/root:/bin/bas'
---
I get a similar output with this Python 2 example:
---
import urllib
req = urllib.urlopen('file:///etc/passwd')
print(req.read()[:30])
req.close()
---
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose the local_file schema.
I understand that Python 2 handles local_file://url as file://url. Ok. But is this a security issue? If you care of security, you ensure that the url scheme is HTTP or HTTPS, not only forbid FILE, no?
I'm asking because of:
Karthikeyan Singaravelan:
> This issue seems to have been assigned CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948) ... |
|
Date |
User |
Action |
Args |
2019-05-13 14:47:47 | vstinner | set | recipients:
+ vstinner, christian.heimes, martin.panter, matrixise, cstratak, xtreak, push0ebp, ware |
2019-05-13 14:47:47 | vstinner | set | messageid: <1557758867.72.0.556742965405.issue35907@roundup.psfhosted.org> |
2019-05-13 14:47:47 | vstinner | link | issue35907 messages |
2019-05-13 14:47:47 | vstinner | create | |
|