This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yao zhihua
Recipients ned.deily, orsenthil, yao zhihua
Date 2018-03-10.14:10:40
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1520691040.59.0.467229070634.issue32993@psf.upfronthosting.co.za>
In-reply-to
Content 
Borrow what others have said from Issue11662.
--------------------
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
 usage.
History
Date User Action Args
2018-03-10 14:10:40yao zhihuasetrecipients: + yao zhihua, orsenthil, ned.deily
2018-03-10 14:10:40yao zhihuasetmessageid: <1520691040.59.0.467229070634.issue32993@psf.upfronthosting.co.za>
2018-03-10 14:10:40yao zhihualinkissue32993 messages
2018-03-10 14:10:40yao zhihuacreate