[Chicago] urllib & urllib2 will read file URLs security bug!
Brian Curtin
brian.curtin at gmail.com
Thu Jun 9 00:18:48 CEST 2011
On Wed, Jun 8, 2011 at 16:42, Brian Herman <brianherman at gmail.com> wrote:
>
> http://blog.codekills.net/archives/100-Python-security-tip-urlliburllib2-will-read-file-URLs.html
> Thanks,
> Brian Herman
It's certainly valid to read a file:// URL. You could definitely use this
incorrectly, but that would be a bug in your program, not in urllib/urllib2.
There *was* a security bug in Python where a 302 response could redirect you
to a file:// URL but that has since been fixed:
http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html. If
you are vulnerable to this, 2.6.7 was just released (source-only), 3.1.4 and
2.7.2 are on the last planned release candidate, and 3.2.1 is about to hit
another release candidate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20110608/819a8d66/attachment.html>
More information about the Chicago
mailing list