scheme¶

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Disclosure date: 2019-02-06 (Python issue bpo-35907 reported)

Fixed In¶

Python 2.7.17 (2019-10-19) fixed by commit b15bde8 (branch 2.7) (2019-05-21)
Python 3.5.8 (2019-10-29) fixed by commit 4fe82a8 (branch 3.5) (2019-07-14)
Python 3.6.9 (2019-07-03) fixed by commit 4f06dae (branch 3.6) (2019-05-29)
Python 3.7.4 (2019-07-09) fixed by commit 34bab21 (branch 3.7) (2019-05-22)
Python 3.8.0 (2019-10-14) fixed by commit 0c2b6a3 (branch 3.8) (2019-05-22)

Python issue¶

[security][CVE-2019-9948] Unnecessary URL scheme exists to allow local_file:// reading file in urllib.

Python issue: bpo-35907
Creation date: 2019-02-06
Reporter: Sihoon Lee

CVE-2019-9948¶

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.

CVE ID: CVE-2019-9948
Published: 2019-03-23
CVSS Score: 6.4

Timeline¶

Timeline using the disclosure date 2019-02-06 as reference:

2019-02-06: Python issue bpo-35907 reported by Sihoon Lee
2019-03-23 (+45 days): CVE-2019-9948 published
2019-05-21 (+104 days): commit b15bde8 (branch 2.7)
2019-05-22 (+105 days): commit 0c2b6a3 (branch 3.8)
2019-05-22 (+105 days): commit 34bab21 (branch 3.7)
2019-05-29 (+112 days): commit 4f06dae (branch 3.6)
2019-07-03 (+147 days): Python 3.6.9 released
2019-07-09 (+153 days): Python 3.7.4 released
2019-07-14 (+158 days): commit 4fe82a8 (branch 3.5)
2019-10-14: Python 3.8.0 released
2019-10-19 (+255 days): Python 2.7.17 released
2019-10-29 (+265 days): Python 3.5.8 released