[Chicago] urllib & urllib2 will read file URLs security bug!
Steve Schwarz
steve at agilitynerd.com
Thu Jun 9 00:41:25 CEST 2011
>
> I have no such desire to put such limitations on applications I run.
> They get full access to whatever the OS gives them access to. the app
> can use open('/etc/passwd'), cuz I allow apps to do that. the fact
> that an app can do it using some other function doesn't bother me.
>
> So personally I don't see what the problem is.
>
>
But it isn't too hard to see how the unwary could reveal information from
their system to outsiders. Say you:
- run a python application server as a privileged user
- use
urllib2.urlopen("some-form-url-field-entered-by-a-malicious-user").read()
and display the output in a template run by that application server.
- A user submits file:///etc/passwd or some such to the form and data is
displayed via the application server
- A user submits file:///dev/zero to the form and the application server
reads from /dev/zero until memory is exhausted/swapping makes the server
unavailable.
Yes you would never run an application server with root permission and you
always scrub user input, etc. But I think the point of the warning is to be
aware that urlopen functions similarly to open() when given a file:
protocol.
Best Regards,
Steve
Blogs: http://agilitynerd.com/ http://tech.agilitynerd.com/
Dog Agility Search: http://googility.com/
Dog Agility Courses: http://agilitycourses.com/
http://www.facebook.com/AgilityNerd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20110608/7dea6696/attachment-0001.html>
More information about the Chicago
mailing list