Due to the incomplete fix for CVE-2011-1521, urllib and urllib2 exist for this vulnerability and I tested on the version of Python 3.4.8 (default, Mar 4 2018, 20:37:04).I am sorry that I do not know how to fix it.

@Yao, sorry, I don't understand it.
What is POC trying to demonstrate? How is it related to https://bugs.python.org/issue30657 

And CVE is this: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521

Okay my falut.I made the wrong issue.The issue is issue11662.Urlopen function can use the file protocol, when an attacker input file:///etc/passwd, it can leak the contents of the passwd file.

I also found a function without filtering file protocol.

poc:

import webbrowser
webbrowser.open('file:///etc/passwd')

I tried again, webbrowser module can only open file:///etc/passwd.

This is now marked as a security issue but I do not understand what the problem is.  urllib / urllib2 are supposed to be able to open file:// style URLs, that was not the point of Issue11662.  

https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener

And webbrowser also supports file: URLs if the underlying browser does; again, that's a standard feature.

So what's the problem here?

Borrow what others have said from Issue11662.
--------------------
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
 usage.

Here about webbrowser vulnerability.
https://bugs.python.org/issue32367

You could execute command with file protocols in python 2.7.10.

poc :
import webbrowser, os
filename = "/bin/ls"
webbrowser.open(os.path.realpath(filename))

If python has fixed this vulnerability,why can I access file:///etc/passwd? But I can't access /etc/shadow.Is this it fixed incomplete?

Hi Yao, I tend to agree with Ned. The support for “file:” URLs is by design. I don’t see any security problems. I suggest to close this.

In Issue 11662, it was decided that a web server redirecting to a “file:” URL was a security problem. This is because the mechanism that follows the redirect is automatic, and the target of the redirect is under the control of the remote server, not the local user or program. But other parts of the Python library still support “file:” URLs without causing any problems. Those URLs are under control of the caller, like in your “poc.py” file.

The /etc/passwd file may be readable by ordinary users. But /etc/shadow may require special permission to read, because it holds password hashes. Or it may not exist under that name, depending on the OS. If a web application calls “urllib.request.urlopen”, I think it is up to the application to validate the URL it passes. It may want to deny or limit access to specific directories, URL schemes, host names, etc. It is not up to Python to make those decisions.

When I tried your “webbrowser.open” demonstration, it made Firefox offer to “download” (i.e. copy) the “ls” executable file. I think this is normal behaviour, and does not indicate a security problem. A plausible use-case would be opening a local README.html file distributed with a program in a web browser.