This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Unnecessary URL scheme exists to allow 'URL: reading file in urllib
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 2.7
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: Nosy List: Alyan, christian.heimes, hroncok, stestagg
Priority: normal Keywords:

Created on 2019-08-11 11:16 by Alyan, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 24870 closed hroncok, 2021-03-15 10:27
Messages (3)
msg349385 - (view) Author: Abdullah (Alyan) Date: 2019-08-11 11:16
I am not sure if this was reported before, fixed, or even how to report this. However this issue is similar to

# Vulnerability PoC
import urllib
print urllib.urlopen('URL:/etc/passwd').read()[:30]
the result is
# User Database
# Note t

I have tested the PoC on my Mac python 2.7.
msg388695 - (view) Author: Steve Stagg (stestagg) Date: 2021-03-15 00:27
This appears to have been fixed in python 3:
import urllib.request

$> python 
Traceback (most recent call last):
  File "", line 2, in <module>
  File "/usr/lib/python3.9/urllib/", line 214, in urlopen
    return, data, timeout)
  File "/usr/lib/python3.9/urllib/", line 501, in open
    req = Request(fullurl, data)
  File "/usr/lib/python3.9/urllib/", line 320, in __init__
    self.full_url = url
  File "/usr/lib/python3.9/urllib/", line 346, in full_url
  File "/usr/lib/python3.9/urllib/", line 375, in _parse
    raise ValueError("unknown url type: %r" % self.full_url)
ValueError: unknown url type: '/etc/passwd'
msg388722 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-15 10:00
It's a Python 2-only problem. Python 2 no longer receives security fixes. Please update to a supported version of Python or report the issue with your vendor.
Date User Action Args
2022-04-11 14:59:19adminsetgithub: 82001
2021-03-15 10:27:08hroncoksetnosy: + hroncok

pull_requests: + pull_request23632
2021-03-15 10:00:34christian.heimessetstatus: open -> closed

nosy: + christian.heimes
messages: + msg388722

resolution: wont fix
stage: resolved
2021-03-15 00:27:13stestaggsetnosy: + stestagg
messages: + msg388695
2019-08-11 11:16:29Alyancreate