Skip to content

reject file:// urls in pylock packages fetched from a URL#14174

Open
Arawoof06 wants to merge 2 commits into
pypa:mainfrom
Arawoof06:pylock-remote-url-scheme
Open

reject file:// urls in pylock packages fetched from a URL#14174
Arawoof06 wants to merge 2 commits into
pypa:mainfrom
Arawoof06:pylock-remote-url-scheme

Conversation

@Arawoof06

@Arawoof06 Arawoof06 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

When a pylock.toml is fetched from an http(s) URL, _package_dist_url returns a package's url field unchanged, so an entry with url = "file:///etc/passwd" (or file://host/share/pkg.whl on Windows) makes pip read a local file or reach an SMB share even though the lock came from a remote server. #14159 closed this for the relative path field, and package_directory_requirement_url already refuses local targets for directory entries; this applies the same rule to the url field used by wheel/sdist/archive/vcs packages, while still letting a remote lock reference other http(s) hosts.

PR Checklist:

  • I agree to follow the PSF Code of Conduct.
  • I have read and have followed the CONTRIBUTING.md file.
  • I have added a news file fragment (or this PR does not need one).
  • I have read and followed the AI_POLICY.md file, and if any AI tools were used, I have disclosed it below.

Signed-off-by: abdul rawoof <abdulr@bugqore.com>
@ichard26

Copy link
Copy Markdown
Member

Like with all of the other PRs, I still take issue with the comments. Keep them brief, please. Also, this is not a security vulnerability as we assume that pip is being handed trusted input. Otherwise, I'll leave this for review by @sbidoul.

Signed-off-by: abdul rawoof <abdulr@bugqore.com>
@Arawoof06

Copy link
Copy Markdown
Contributor Author

Trimmed the comment down to a single line. And noted on the threat model - I'll drop the security framing; the behaviour change still seems worth having for consistency with the path branch and the directory-entry check. Happy to let sbidoul take it from here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants