[Python-bugs-list] [ python-Bugs-649967 ] urllib.urlopen('file:/...') uses FTP

noreply@sourceforge.net noreply@sourceforge.net
Sat, 07 Dec 2002 01:07:16 -0800


Bugs item #649967, was opened at 2002-12-07 02:07
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=649967&group_id=5470

Category: Python Library
Group: Python 2.2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: Mike Brown (mike_j_brown)
Assigned to: Nobody/Anonymous (nobody)
Summary: urllib.urlopen('file:/...') uses FTP

Initial Comment:
urllib.urlopen(), when given a 'file' URL containing a host 
part, like 'file://somehost/path/to/file', treats it as if it 
were an 'ftp' URL.

While RFC 1738 acknowledges that the access method 
for file URLs is unspecified, the assumption of FTP, even 
when a direct access method is available, is a poor 
design decision and is a possible security risk in 
applications that use urlopen().

When given a file URL, urlopen() should extract the 
portion following 'file:', convert a leading '//localhost/' 
to '///' (because localhost is a special case per RFC 
1738; see other bug report on this topic), and use 
url2pathname() to try to convert this to an OS-specific 
path. The result can then be passed to open().

For example, on Windows, urlopen
('file://somehost/path/to/file') should return the result of 
open('\somehost\path\to\file', 'rb').

In situations where there is no convention for interpreting 
the host part of a URL as a component in an OS path, 
such as on Unix filesystems, an exception should be 
raised by url2pathname(), in my opinion. If urlopen() 
wants to try an alternate access method such as FTP, it 
should only do so if directed by the caller.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=649967&group_id=5470