[Chicago] urllib & urllib2 will read file URLs security bug!
Carl Meyer
carl at oddbird.net
Thu Jun 9 00:25:07 CEST 2011
On 06/08/2011 05:11 PM, Carl Karsten wrote:
> I can appreciate that a browser should be a sand box with _very_
> limited access to the rest of my system. This lets me click around
> the wild whacky web and not be too worried.
>
> I have no such desire to put such limitations on applications I run.
> They get full access to whatever the OS gives them access to. the app
> can use open('/etc/passwd'), cuz I allow apps to do that. the fact
> that an app can do it using some other function doesn't bother me.
>
> So personally I don't see what the problem is.
But a browser is just an "application that you run" too, and there are
other apps people might write that ought to be sandboxed similarly,
depending where they get their URLs from and what they do with them.
The point here (IMO) isn't "OMG Python is insecure" -- urllib ought to
be able to handle file:// URLs. It's just something you need to be
keenly aware of if you're writing a Python application that uses these
functions, because if you're accepting URLs from an external source you
could potentially be opening up access to the local system, when you
think you're just accessing remote URLs.
Carl
More information about the Chicago
mailing list