[Chicago] urllib & urllib2 will read file URLs security bug!
Christopher Allan Webber
cwebber at dustycloud.org
Thu Jun 9 04:13:24 CEST 2011
It's not that it's a security bug, it's that people might just not be
thinking about it.
What if you have a web service that does some other recursive crawling
of other site based on requests, something that does recursive crawling
of a site, where it visits one URL, finds more relevant URLs from that
page, visits those URLs? If somebody puts file:///etc/passwd (or
something worse, because these days /etc/passwd isn't usually the worst
thing you could hit) as an anchor tag, your web service might
accidentally serve up your /etc/passwd.
It's easy to say "oh well that's a feature", and it probably is! But
it's also good to remind people about these kinds of things now and
then. No harm anyway!
Carl Karsten <carl at personnelware.com> writes:
> squidclient -p 8000 -m PURGE
> http://us.archive.ubuntu.com/main/debian-installer/binary-amd64/Packages.gz
>
> """
> For security purposes, Mozilla applications block links to local files
> (and directories) from remote files. This includes linking to files on
> your hard drive, on mapped network drives, and accessible via Uniform
> Naming Convention (UNC) paths. This prevents a number of unpleasant
> possibilities, including:
> ...
> """
>
> I can appreciate that a browser should be a sand box with _very_
> limited access to the rest of my system. This lets me click around
> the wild whacky web and not be too worried.
>
> I have no such desire to put such limitations on applications I run.
> They get full access to whatever the OS gives them access to. the app
> can use open('/etc/passwd'), cuz I allow apps to do that. the fact
> that an app can do it using some other function doesn't bother me.
>
> So personally I don't see what the problem is.
>
>
>
>
> On Wed, Jun 8, 2011 at 4:42 PM, Brian Herman <brianherman at gmail.com> wrote:
>> http://blog.codekills.net/archives/100-Python-security-tip-urlliburllib2-will-read-file-URLs.html
>> Thanks,
>> Brian Herman
>>
>> brianjherman.com
>> brianherman at acm.org
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Chicago mailing list
>> Chicago at python.org
>> http://mail.python.org/mailman/listinfo/chicago
>>
>>
--
The bottom line.
More information about the Chicago
mailing list