CVE-2011-1521: urllib redirect

The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes.

Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes.

  • Disclosure date: 2011-03-24 (Python issue #11662 reported)
  • Reported by: email received on the Python security list

Fixed In

Python issue

Redirect vulnerability in urllib/urllib2.

  • Python issue: issue #11662
  • Creation date: 2011-03-24
  • Reporter: Guido van Rossum

CVE-2011-1521

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

Timeline

Timeline using the disclosure date 2011-03-24 as reference:

  • 2011-03-24: Python issue #11662 reported by Guido van Rossum
  • 2011-03-24 (+0 days): commit 60a4a90
  • 2011-03-29 (+5 days): commit a119df9
  • 2011-05-24 (+61 days): CVE-2011-1521 published
  • 2011-05-26 (+63 days): Python 2.5.6 released
  • 2011-06-03 (+71 days): Python 2.6.7 released
  • 2011-06-11 (+79 days): Python 2.7.2 released
  • 2011-06-11 (+79 days): Python 3.1.4 released
  • 2011-07-10 (+108 days): Python 3.2.1 released
  • 2012-09-29: Python 3.3.0 released