Blame SOURCES/00325-CVE-2019-9948.patch

900f19
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
900f19
index 649a5b8..0061a52 100644
900f19
--- a/Lib/test/test_urllib.py
900f19
+++ b/Lib/test/test_urllib.py
900f19
@@ -16,6 +16,7 @@ except ImportError:
900f19
     ssl = None
900f19
 import sys
900f19
 import tempfile
900f19
+import warnings
900f19
 from nturl2path import url2pathname, pathname2url
900f19
 
900f19
 from base64 import b64encode
900f19
@@ -1463,6 +1464,23 @@ class URLopener_Tests(unittest.TestCase):
900f19
                 "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
900f19
                 "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
900f19
 
900f19
+    def test_local_file_open(self):
900f19
+        # bpo-35907, CVE-2019-9948: urllib must reject local_file:// scheme
900f19
+        class DummyURLopener(urllib.request.URLopener):
900f19
+            def open_local_file(self, url):
900f19
+                return url
900f19
+
900f19
+        with warnings.catch_warnings(record=True):
900f19
+            warnings.simplefilter("ignore", DeprecationWarning)
900f19
+
900f19
+            for url in ('local_file://example', 'local-file://example'):
900f19
+                self.assertRaises(OSError, urllib.request.urlopen, url)
900f19
+                self.assertRaises(OSError, urllib.request.URLopener().open, url)
900f19
+                self.assertRaises(OSError, urllib.request.URLopener().retrieve, url)
900f19
+                self.assertRaises(OSError, DummyURLopener().open, url)
900f19
+                self.assertRaises(OSError, DummyURLopener().retrieve, url)
900f19
+
900f19
+
900f19
 # Just commented them out.
900f19
 # Can't really tell why keep failing in windows and sparc.
900f19
 # Everywhere else they work ok, but on those machines, sometimes
900f19
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
900f19
index d28f2f8..c9945d9 100644
900f19
--- a/Lib/urllib/request.py
900f19
+++ b/Lib/urllib/request.py
900f19
@@ -1747,7 +1747,7 @@ class URLopener:
900f19
         name = 'open_' + urltype
900f19
         self.type = urltype
900f19
         name = name.replace('-', '_')
900f19
-        if not hasattr(self, name):
900f19
+        if not hasattr(self, name) or name == 'open_local_file':
900f19
             if proxy:
900f19
                 return self.open_unknown_proxy(proxy, fullurl, data)
900f19
             else: