.. _urllib-local-file-scheme:

urllib module local_file:// scheme
==================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2019-9948>`_.

urllib in Python 2.x through 2.7.16 supports the ``local_file:`` scheme,
which makes it easier for remote attackers to bypass protection mechanisms
that blacklist ``file:`` URIs, as demonstrated by triggering a
``urllib.urlopen('local_file:///etc/passwd')`` call.

Dates:

* Disclosure date: **2019-02-06** (Python issue bpo-35907 reported)

Fixed In
--------

* Python **2.7.17** (2019-10-19) fixed by `commit b15bde8 (branch 2.7) <https://github.com/python/cpython/commit/b15bde8058e821b383d81fcae68b335a752083ca>`_ (2019-05-21)
* Python **3.5.8** (2019-10-29) fixed by `commit 4fe82a8 (branch 3.5) <https://github.com/python/cpython/commit/4fe82a8eef7aed60de05bfca0f2c322730ea921e>`_ (2019-07-14)
* Python **3.6.9** (2019-07-02) fixed by `commit 4f06dae (branch 3.6) <https://github.com/python/cpython/commit/4f06dae5d8d4400ba38d8502da620f07d4a5696e>`_ (2019-05-29)
* Python **3.7.4** (2019-07-08) fixed by `commit 34bab21 (branch 3.7) <https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b>`_ (2019-05-22)
* Python **3.8.0** (2019-10-14) fixed by `commit 0c2b6a3 (branch 3.8) <https://github.com/python/cpython/commit/0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587>`_ (2019-05-22)

Python issue
------------

[security][CVE-2019-9948] Unnecessary URL scheme exists to allow local_file:// reading file  in urllib.

* Python issue: `bpo-35907 <https://bugs.python.org/issue35907>`_
* Creation date: 2019-02-06
* Reporter: Sihoon Lee

CVE-2019-9948
-------------

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

* CVE ID: `CVE-2019-9948 <https://nvd.nist.gov/vuln/detail/CVE-2019-9948/>`_
* Published: 2019-03-23
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 6.4

Timeline
--------

Timeline using the disclosure date **2019-02-06** as reference:

* 2019-02-06: `Python issue bpo-35907 <https://bugs.python.org/issue35907>`_ reported by Sihoon Lee
* 2019-03-23 (**+45 days**): CVE-2019-9948 published
* 2019-05-21 (**+104 days**): `commit b15bde8 (branch 2.7) <https://github.com/python/cpython/commit/b15bde8058e821b383d81fcae68b335a752083ca>`_
* 2019-05-22 (**+105 days**): `commit 0c2b6a3 (branch 3.8) <https://github.com/python/cpython/commit/0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587>`_
* 2019-05-22 (**+105 days**): `commit 34bab21 (branch 3.7) <https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b>`_
* 2019-05-29 (**+112 days**): `commit 4f06dae (branch 3.6) <https://github.com/python/cpython/commit/4f06dae5d8d4400ba38d8502da620f07d4a5696e>`_
* 2019-07-02 (**+146 days**): Python 3.6.9 released
* 2019-07-08 (**+152 days**): Python 3.7.4 released
* 2019-07-14 (**+158 days**): `commit 4fe82a8 (branch 3.5) <https://github.com/python/cpython/commit/4fe82a8eef7aed60de05bfca0f2c322730ea921e>`_
* 2019-10-14: Python 3.8.0 released
* 2019-10-19 (**+255 days**): Python 2.7.17 released
* 2019-10-29 (**+265 days**): Python 3.5.8 released