Author vstinner
Recipients christian.heimes, cstratak, martin.panter, matrixise, push0ebp, vstinner, ware, xtreak
Date 2019-05-13.14:47:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1557758867.72.0.556742965405.issue35907@roundup.psfhosted.org>
In-reply-to
Content
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose the local_file schema. In Python 3 refuses local_file:// (tested with 3.4 to 3.7).

I'm not sure that I understand well the issue. urllib accepts various scheme by design: HTTP, HTTPS, FTP, FILE, etc.

For example, file:// scheme is legit and works as expected. Python 3 example:
---
import urllib.request
req = urllib.request.Request('file:///etc/passwd')
print(f"URL scheme: {req.type}")
fp = urllib.request.urlopen(req)
print(fp.read()[:30])
fp.close()
---

Output with Python 3:
---
URL scheme: file
b'root:x:0:0:root:/root:/bin/bas'
---


I get a similar output with this Python 2 example:
---
import urllib
req = urllib.urlopen('file:///etc/passwd')
print(req.read()[:30])
req.close()
---


Christian:
> I agree, this looks like an implementation artefact. urllib should not expose the local_file schema.

I understand that Python 2 handles local_file://url as file://url. Ok. But is this a security issue? If you care of security, you ensure that the url scheme is HTTP or HTTPS, not only forbid FILE, no?

I'm asking because of:

Karthikeyan Singaravelan:
> This issue seems to have been assigned CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948) ...
History
Date User Action Args
2019-05-13 14:47:47vstinnersetrecipients: + vstinner, christian.heimes, martin.panter, matrixise, cstratak, xtreak, push0ebp, ware
2019-05-13 14:47:47vstinnersetmessageid: <1557758867.72.0.556742965405.issue35907@roundup.psfhosted.org>
2019-05-13 14:47:47vstinnerlinkissue35907 messages
2019-05-13 14:47:47vstinnercreate