.. _urllib-redirect:

urllib redirect
===============

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2011-1521>`_.

The Python urllib and urllib2 modules are typically used to fetch web pages
but by default also contains handlers for ``ftp://`` and ``file://`` URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported schemes.

Dates:

* Disclosure date: **2011-03-24** (Python issue bpo-11662 reported)
* Reported by: email received on the Python security list

Fixed In
--------

* Python **2.5.6** (2011-05-28) fixed by `commit 60a4a90 (branch 2.5) <https://github.com/python/cpython/commit/60a4a90c8dd2972eb4bb977e70835be9593cbbac>`_ (2011-03-24)
* Python **2.6.7** (2011-06-04) fixed by `commit 60a4a90 (branch 2.5) <https://github.com/python/cpython/commit/60a4a90c8dd2972eb4bb977e70835be9593cbbac>`_ (2011-03-24)
* Python **2.7.2** (2011-06-11) fixed by `commit 60a4a90 (branch 2.5) <https://github.com/python/cpython/commit/60a4a90c8dd2972eb4bb977e70835be9593cbbac>`_ (2011-03-24)
* Python **3.1.4** (2011-06-11) fixed by `commit a119df9 (branch 3.1) <https://github.com/python/cpython/commit/a119df91f33724f64e6bc1ecb484eeaa30ace014>`_ (2011-03-29)
* Python **3.2.1** (2011-07-09) fixed by `commit a119df9 (branch 3.1) <https://github.com/python/cpython/commit/a119df91f33724f64e6bc1ecb484eeaa30ace014>`_ (2011-03-29)
* Python **3.3.0** (2012-09-29) fixed by `commit a119df9 (branch 3.1) <https://github.com/python/cpython/commit/a119df91f33724f64e6bc1ecb484eeaa30ace014>`_ (2011-03-29)

Python issue
------------

Redirect vulnerability in urllib/urllib2.

* Python issue: `bpo-11662 <https://bugs.python.org/issue11662>`_
* Creation date: 2011-03-24
* Reporter: Guido van Rossum

CVE-2011-1521
-------------

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

* CVE ID: `CVE-2011-1521 <https://nvd.nist.gov/vuln/detail/CVE-2011-1521/>`_
* Published: 2011-05-24
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 6.4

Timeline
--------

Timeline using the disclosure date **2011-03-24** as reference:

* 2011-03-24: `Python issue bpo-11662 <https://bugs.python.org/issue11662>`_ reported by Guido van Rossum
* 2011-03-24: `commit 60a4a90 (branch 2.5) <https://github.com/python/cpython/commit/60a4a90c8dd2972eb4bb977e70835be9593cbbac>`_
* 2011-03-29 (**+5 days**): `commit a119df9 (branch 3.1) <https://github.com/python/cpython/commit/a119df91f33724f64e6bc1ecb484eeaa30ace014>`_
* 2011-05-24 (**+61 days**): CVE-2011-1521 published
* 2011-05-28 (**+65 days**): Python 2.5.6 released
* 2011-06-04 (**+72 days**): Python 2.6.7 released
* 2011-06-11 (**+79 days**): Python 2.7.2 released
* 2011-06-11 (**+79 days**): Python 3.1.4 released
* 2011-07-09 (**+107 days**): Python 3.2.1 released
* 2012-09-29: Python 3.3.0 released