New submission from Guido van Rossum <gu...@python.org>: We received the following on the security list. With the OP's permission I am now filing a public bug with a patch, with the intent to submit the patch ASAP (in time for MvL's planned April security release of Python 2.5).
The OP's description is below; I will attach a patch to this issue as soon as I have figured out how. description: -------------------- The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes. Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes. Examples on how this could turn bad: 1) File disclosure: A web application, that normally fetches and displays a web page, is redirected to file:///etc/passwd and discloses it. 2) Denial of Service: An application is redirected to a system device (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk usage. Affected versions: ------------------ The urllib and urllib2 modules of python 2.4.6 and 2.6.5 where tested but this likely affects all versions. Possible solution: ------------------ The default handlers could be reduced but this will probably break existing python scripts. Alternatively the default HTTPRedirectHandler behaviour can be changed to only allow redirects to HTTP, HTTPS and FTP by checking the scheme of the location URL (this seems to be a common practise in browsers) ---------- assignee: gvanrossum components: Library (Lib) hgrepos: 6 messages: 131981 nosy: barry, benjamin.peterson, georg.brandl, gvanrossum priority: release blocker severity: normal stage: patch review status: open title: Redirect vulnerability in urllib/urllib2 type: security versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11662> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
