bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com>

commit: 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587 [log] [tgz]
author: Victor Stinner <victor.stinner@gmail.com> Wed May 22 22:15:01 2019 +0200
committer: GitHub <noreply@github.com> Wed May 22 22:15:01 2019 +0200
tree: d43ef81f590349a7e9d5cff0564f7b4667b43f2c
parent: 2ddbd21aec7f0e2f237a1073d3e0b313e673413f [diff] [blame]
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 230ac39..9b21afb 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py

@@ -1745,7 +1745,7 @@
         name = 'open_' + urltype
         self.type = urltype
         name = name.replace('-', '_')
-        if not hasattr(self, name):
+        if not hasattr(self, name) or name == 'open_local_file':
             if proxy:
                 return self.open_unknown_proxy(proxy, fullurl, data)
             else:
commit	0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587	[log] [tgz]
author	Victor Stinner <victor.stinner@gmail.com>	Wed May 22 22:15:01 2019 +0200
committer	GitHub <noreply@github.com>	Wed May 22 22:15:01 2019 +0200
tree	d43ef81f590349a7e9d5cff0564f7b4667b43f2c
parent	2ddbd21aec7f0e2f237a1073d3e0b313e673413f [diff] [blame]