STINNER Victor <vstin...@redhat.com> added the comment:
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose
> the local_file schema. In Python 3 refuses local_file:// (tested with 3.4 to
> 3.7).
I'm not sure that I understand well the issue. urllib accepts various scheme by
design: HTTP, HTTPS, FTP, FILE, etc.
For example, file:// scheme is legit and works as expected. Python 3 example:
---
import urllib.request
req = urllib.request.Request('file:///etc/passwd')
print(f"URL scheme: {req.type}")
fp = urllib.request.urlopen(req)
print(fp.read()[:30])
fp.close()
---
Output with Python 3:
---
URL scheme: file
b'root:x:0:0:root:/root:/bin/bas'
---
I get a similar output with this Python 2 example:
---
import urllib
req = urllib.urlopen('file:///etc/passwd')
print(req.read()[:30])
req.close()
---
Christian:
> I agree, this looks like an implementation artefact. urllib should not expose
> the local_file schema.
I understand that Python 2 handles local_file://url as file://url. Ok. But is
this a security issue? If you care of security, you ensure that the url scheme
is HTTP or HTTPS, not only forbid FILE, no?
I'm asking because of:
Karthikeyan Singaravelan:
> This issue seems to have been assigned CVE-2019-9948
> (https://nvd.nist.gov/vuln/detail/CVE-2019-9948) ...
----------
nosy: +vstinner
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue35907>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
