urllib module local_file:// scheme¶
urllib in Python 2.x through 2.7.16 supports the local_file:
scheme,
which makes it easier for remote attackers to bypass protection mechanisms
that blacklist file:
URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd')
call.
- Disclosure date: 2019-02-06 (Python issue bpo-35907 reported)
Fixed In¶
- Python 2.7.17 (2019-10-19) fixed by commit b15bde8 (branch 2.7) (2019-05-21)
- Python 3.5.8 (2019-10-29) fixed by commit 4fe82a8 (branch 3.5) (2019-07-14)
- Python 3.6.9 (2019-07-03) fixed by commit 4f06dae (branch 3.6) (2019-05-29)
- Python 3.7.4 (2019-07-09) fixed by commit 34bab21 (branch 3.7) (2019-05-22)
- Python 3.8.0 (2019-10-14) fixed by commit 0c2b6a3 (branch 3.8) (2019-05-22)
Python issue¶
[security][CVE-2019-9948] Unnecessary URL scheme exists to allow file:// reading file in urllib.
- Python issue: bpo-35907
- Creation date: 2019-02-06
- Reporter: Sihoon Lee
CVE-2019-9948¶
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.
- CVE ID: CVE-2019-9948
- Published: 2019-03-23
- CVSS Score: 6.4
Timeline¶
Timeline using the disclosure date 2019-02-06 as reference:
- 2019-02-06: Python issue bpo-35907 reported by Sihoon Lee
- 2019-03-23 (+45 days): CVE-2019-9948 published
- 2019-05-21 (+104 days): commit b15bde8 (branch 2.7)
- 2019-05-22 (+105 days): commit 0c2b6a3 (branch 3.8)
- 2019-05-22 (+105 days): commit 34bab21 (branch 3.7)
- 2019-05-29 (+112 days): commit 4f06dae (branch 3.6)
- 2019-07-03 (+147 days): Python 3.6.9 released
- 2019-07-09 (+153 days): Python 3.7.4 released
- 2019-07-14 (+158 days): commit 4fe82a8 (branch 3.5)
- 2019-10-14: Python 3.8.0 released
- 2019-10-19 (+255 days): Python 2.7.17 released
- 2019-10-29 (+265 days): Python 3.5.8 released