[Chicago] urllib & urllib2 will read file URLs security bug!

Carl Karsten carl at personnelware.com
Thu Jun 9 00:11:32 CEST 2011


squidclient -p 8000 -m PURGE
http://us.archive.ubuntu.com/main/debian-installer/binary-amd64/Packages.gz

"""
For security purposes, Mozilla applications block links to local files
(and directories) from remote files. This includes linking to files on
your hard drive, on mapped network drives, and accessible via Uniform
Naming Convention (UNC) paths. This prevents a number of unpleasant
possibilities, including:
...
"""

I can appreciate that a browser should be a sand box with _very_
limited access to the rest of my system.  This lets me click around
the wild whacky web and not be too worried.

I have no such desire to put such limitations on applications I run.
They get full access to whatever the OS gives them access to.  the app
can use open('/etc/passwd'), cuz I allow apps to do that.  the fact
that an app can do it using some other function doesn't bother me.

So personally I don't see what the problem is.




On Wed, Jun 8, 2011 at 4:42 PM, Brian Herman <brianherman at gmail.com> wrote:
> http://blog.codekills.net/archives/100-Python-security-tip-urlliburllib2-will-read-file-URLs.html
> Thanks,
> Brian Herman
>
> brianjherman.com
> brianherman at acm.org
>
>
>
>
>
>
>
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> http://mail.python.org/mailman/listinfo/chicago
>
>



-- 
Carl K


More information about the Chicago mailing list