This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gvanrossum
Recipients barry, benjamin.peterson, georg.brandl, gvanrossum
Date 2011-03-24.15:06:56
SpamBayes Score 1.4699291e-08
Marked as misclassified No
Message-id <>
We received the following on the security list. With the OP's permission I am now filing a public bug with a patch, with the intent to submit the patch ASAP (in time for MvL's planned April security release of Python 2.5).

The OP's description is below; I will attach a patch to this issue as soon as I have figured out how.

The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk

Affected versions:
The urllib and urllib2 modules of python 2.4.6 and 2.6.5 where tested
but this likely affects all versions.

Possible solution:
The default handlers could be reduced but this will probably break
existing python scripts.

Alternatively the default HTTPRedirectHandler behaviour can be changed
to only allow redirects to HTTP, HTTPS and FTP by checking the scheme
of the location URL (this seems to be a common practise in browsers)
Date User Action Args
2011-03-24 15:06:58gvanrossumsetrecipients: + gvanrossum, barry, georg.brandl, benjamin.peterson
2011-03-24 15:06:57gvanrossumsetmessageid: <>
2011-03-24 15:06:57gvanrossumlinkissue11662 messages
2011-03-24 15:06:57gvanrossumcreate