[New-bugs-announce] [issue11662] Redirect vulnerability in urllib/urllib2
Guido van Rossum
report at bugs.python.org
Thu Mar 24 16:06:57 CET 2011
New submission from Guido van Rossum <guido at python.org>:
We received the following on the security list. With the OP's permission I am now filing a public bug with a patch, with the intent to submit the patch ASAP (in time for MvL's planned April security release of Python 2.5).
The OP's description is below; I will attach a patch to this issue as soon as I have figured out how.
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:
1) File disclosure: A web application, that normally fetches and
displays a web page, is redirected to file:///etc/passwd and
2) Denial of Service: An application is redirected to a system device
(e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
The urllib and urllib2 modules of python 2.4.6 and 2.6.5 where tested
but this likely affects all versions.
The default handlers could be reduced but this will probably break
existing python scripts.
Alternatively the default HTTPRedirectHandler behaviour can be changed
to only allow redirects to HTTP, HTTPS and FTP by checking the scheme
of the location URL (this seems to be a common practise in browsers)
components: Library (Lib)
nosy: barry, benjamin.peterson, georg.brandl, gvanrossum
priority: release blocker
stage: patch review
title: Redirect vulnerability in urllib/urllib2
versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce