yao zhihua <hackyzh...@gmail.com> added the comment: Borrow what others have said from Issue11662. -------------------- The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes.
Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes. Examples on how this could turn bad: 1) File disclosure: A web application, that normally fetches and displays a web page, is redirected to file:///etc/passwd and discloses it. 2) Denial of Service: An application is redirected to a system device (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk usage. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32993> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
