Message313528
Borrow what others have said from Issue11662.
--------------------
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.
Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:
1) File disclosure: A web application, that normally fetches and
displays a web page, is redirected to file:///etc/passwd and
discloses it.
2) Denial of Service: An application is redirected to a system device
(e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
usage. |
|
Date |
User |
Action |
Args |
2018-03-10 14:10:40 | yao zhihua | set | recipients:
+ yao zhihua, orsenthil, ned.deily |
2018-03-10 14:10:40 | yao zhihua | set | messageid: <1520691040.59.0.467229070634.issue32993@psf.upfronthosting.co.za> |
2018-03-10 14:10:40 | yao zhihua | link | issue32993 messages |
2018-03-10 14:10:40 | yao zhihua | create | |
|