mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-23 09:59:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e53f7d53f40df75c25e6cdbd1a19b16b296d307b
poky/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
Martin Jansa 016a0b830e python: add a fix for CVE-2019-9948 and CVE-2019-9636 
Source: OpenEmbedded.org
MR: 98320, 98319
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python/python_2.7.16.bb?id=9d23b982fa4e0290761b3d15f6959779fed72ad6
ChangeID: e79b6fe3b7b4253bf0d76b029070ae869d5234bd
Description:

Fixes:
CVE-2019-9948
CVE-2019-9636

CVE-2019-9940 is a dup of 9948 per python.org
CVE-2019-9947 appears to be a dup of 9940 per https://bugs.python.org/issue30458#msg295067

(From OE-Core rev: e7bdff05da6075efc21c5ac9492b06e481e5a239)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Minor clean up for thud]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-07-27 18:05:18 +01:00

56 lines
2.2 KiB
Diff
Raw Blame History

From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
From: Sihoon Lee <push0ebp@gmail.com>
Date: Fri, 17 May 2019 02:41:06 +0900
Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
assertRasies in DummyURLopener test, and simplify mitigation
Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
CVE: CVE-2019-9948
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
Lib/test/test_urllib.py | 11 +++--------
Lib/urllib.py | 4 ++--
2 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index e5f210e62a18..1e23dfb0bb16 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
class DummyURLopener(urllib.URLopener):
def open_local_file(self, url):
return url
- self.assertEqual(DummyURLopener().open(
- 'local-file://example'), '//example')
- self.assertEqual(DummyURLopener().open(
- 'local_file://example'), '//example')
- self.assertRaises(IOError, urllib.urlopen,
- 'local-file://example')
- self.assertRaises(IOError, urllib.urlopen,
- 'local_file://example')
+ for url in ('local_file://example', 'local-file://example'):
+ self.assertRaises(IOError, DummyURLopener().open, url)
+ self.assertRaises(IOError, urllib.urlopen, url)
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index a24e9a5c68fb..39b834054e9e 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
-
+
# bpo-35907: # disallow the file reading with the type not allowed
if not hasattr(self, name) or \
- (self == _urlopener and name == 'open_local_file'):
+ getattr(self, name) == self.open_local_file:
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
Reference in New Issue View Git Blame Copy Permalink