[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-04-29 Thread Charalampos Stratakis
Change by Charalampos Stratakis : -- nosy: +cstratak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-04-09 Thread Ryan Ware
Change by Ryan Ware : -- nosy: +ware ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-04-08 Thread Karthikeyan Singaravelan
Karthikeyan Singaravelan added the comment: This issue seems to have been assigned CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948) as noted in https://github.com/python/cpython/pull/11842#issuecomment-480930608 -- nosy: +xtreak ___

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-13 Thread Sihoon Lee
Change by Sihoon Lee : -- keywords: +patch pull_requests: +11872 stage: needs patch -> patch review ___ Python tracker ___ ___

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Sihoon Lee
Sihoon Lee added the comment: I am not also native English speaker. It's OK. Thank you for reading my report -- ___ Python tracker ___

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Christian Heimes
Christian Heimes added the comment: I'm not a native English speaker either. I wasn't sure if I understood you correctly. Thanks! -- ___ Python tracker ___

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Sihoon Lee
Sihoon Lee added the comment: and only urllib, not urllib2. -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Sihoon Lee
Sihoon Lee added the comment: Sorry for my bad English. Yes, exactly. Only python 2.7 has been affected. not python3. So I chose only Python2.7 version. -- ___ Python tracker

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Christian Heimes
Christian Heimes added the comment: Only the Python 2 urllib module is affected. Python 2.7's urllib2 also correctly fails with local_file:// >>> import urllib2 >>> urllib2.urlopen('local_file:///etc/passwd').read()[:30] Traceback (most recent call last): File "", line 1, in File

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Christian Heimes
Christian Heimes added the comment: Thanks for your report. I'm having a hard time understanding your English. If I understand you correctly, your bug report is about the open_local_file() method and the surprising fact that urllib supports the local_file schema. I agree, this looks like an

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Stéphane Wirtel
Change by Stéphane Wirtel : -- nosy: +christian.heimes, martin.panter, matrixise ___ Python tracker ___ ___ Python-bugs-list mailing

[issue35907] Unnecessary URL scheme exists to allow file:// reading file in urllib

2019-02-06 Thread Sihoon Lee
New submission from Sihoon Lee : The Unnecessary scheme exists in urlopen() urllib when people would protect to read file system in HTTP request of urlopen(), they often filter like this against SSRF. # Vulnerability PoC import urllib print