urllib module local_file:// scheme

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Dates:

• Disclosure date: 2019-02-06 (Python issue bpo-35907 reported)

Fixed In

• Python 2.7.17 (2019-10-19) fixed by commit b15bde8 (branch 2.7) (2019-05-21)
• Python 3.5.8 (2019-10-29) fixed by commit 4fe82a8 (branch 3.5) (2019-07-14)
• Python 3.6.9 (2019-07-02) fixed by commit 4f06dae (branch 3.6) (2019-05-29)
• Python 3.7.4 (2019-07-08) fixed by commit 34bab21 (branch 3.7) (2019-05-22)
• Python 3.8.0 (2019-10-14) fixed by commit 0c2b6a3 (branch 3.8) (2019-05-22)

Python issue

[security][CVE-2019-9948] Unnecessary URL scheme exists to allow local_file:// reading file in urllib.

• Python issue: bpo-35907
• Creation date: 2019-02-06
• Reporter: Sihoon Lee

CVE-2019-9948

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.

• CVE ID: CVE-2019-9948
• Published: 2019-03-23
• CVSS Score: 6.4

Timeline

Timeline using the disclosure date 2019-02-06 as reference:

• 2019-02-06: Python issue bpo-35907 reported by Sihoon Lee
• 2019-03-23 (+45 days): CVE-2019-9948 published
• 2019-05-21 (+104 days): commit b15bde8 (branch 2.7)
• 2019-05-22 (+105 days): commit 0c2b6a3 (branch 3.8)
• 2019-05-22 (+105 days): commit 34bab21 (branch 3.7)
• 2019-05-29 (+112 days): commit 4f06dae (branch 3.6)
• 2019-07-02 (+146 days): Python 3.6.9 released
• 2019-07-08 (+152 days): Python 3.7.4 released
• 2019-07-14 (+158 days): commit 4fe82a8 (branch 3.5)
• 2019-10-14: Python 3.8.0 released
• 2019-10-19 (+255 days): Python 2.7.17 released
• 2019-10-29 (+265 days): Python 3.5.8 released