Issue 37820: Unnecessary URL scheme exists to allow 'URL: reading file in urllib

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/82001

classification

Title:	Unnecessary URL scheme exists to allow 'URL: reading file in urllib
Type:	security	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 2.7

process

Status:	closed	Resolution:	wont fix
Dependencies:		Superseder:
Assigned To:		Nosy List:	Alyan, christian.heimes, hroncok, stestagg
Priority:	normal	Keywords:

Created on 2019-08-11 11:16 by Alyan, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 24870	closed	hroncok, 2021-03-15 10:27

Messages (3)
msg349385 - (view)	Author: Abdullah (Alyan)	Date: 2019-08-11 11:16
I am not sure if this was reported before, fixed, or even how to report this. However this issue is similar to https://bugs.python.org/issue35907 # Vulnerability PoC import urllib print urllib.urlopen('URL:/etc/passwd').read()[:30] the result is ## # User Database # # Note t I have tested the PoC on my Mac python 2.7.
msg388695 - (view)	Author: Steve Stagg (stestagg)	Date: 2021-03-15 00:27
This appears to have been fixed in python 3: rx.py: import urllib.request print(urllib.request.urlopen('URL:/etc/passwd').read()[:30]) $> python rx.py Traceback (most recent call last): File "rx.py", line 2, in <module> print(urllib.request.urlopen('URL:/etc/passwd').read()[:30]) File "/usr/lib/python3.9/urllib/request.py", line 214, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python3.9/urllib/request.py", line 501, in open req = Request(fullurl, data) File "/usr/lib/python3.9/urllib/request.py", line 320, in __init__ self.full_url = url File "/usr/lib/python3.9/urllib/request.py", line 346, in full_url self._parse() File "/usr/lib/python3.9/urllib/request.py", line 375, in _parse raise ValueError("unknown url type: %r" % self.full_url) ValueError: unknown url type: '/etc/passwd'
msg388722 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2021-03-15 10:00
It's a Python 2-only problem. Python 2 no longer receives security fixes. Please update to a supported version of Python or report the issue with your vendor.

History
Date	User	Action	Args
2022-04-11 14:59:19	admin	set	github: 82001
2021-03-15 10:27:08	hroncok	set	nosy: + hroncok pull_requests: + pull_request23632
2021-03-15 10:00:34	christian.heimes	set	status: open -> closed nosy: + christian.heimes messages: + msg388722 resolution: wont fix stage: resolved
2021-03-15 00:27:13	stestagg	set	nosy: + stestagg messages: + msg388695
2019-08-11 11:16:29	Alyan	create