urllib redirect¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
The Python urllib and urllib2 modules are typically used to fetch web pages
but by default also contains handlers for ftp://
and file://
URL
schemes.
Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes.
Dates:
- Disclosure date: 2011-03-24 (Python issue bpo-11662 reported)
- Reported by: email received on the Python security list
Fixed In¶
- Python 2.5.6 (2011-05-28) fixed by commit 60a4a90 (branch 2.5) (2011-03-24)
- Python 2.6.7 (2011-06-04) fixed by commit 60a4a90 (branch 2.5) (2011-03-24)
- Python 2.7.2 (2011-06-11) fixed by commit 60a4a90 (branch 2.5) (2011-03-24)
- Python 3.1.4 (2011-06-11) fixed by commit a119df9 (branch 3.1) (2011-03-29)
- Python 3.2.1 (2011-07-09) fixed by commit a119df9 (branch 3.1) (2011-03-29)
- Python 3.3.0 (2012-09-29) fixed by commit a119df9 (branch 3.1) (2011-03-29)
Python issue¶
Redirect vulnerability in urllib/urllib2.
- Python issue: bpo-11662
- Creation date: 2011-03-24
- Reporter: Guido van Rossum
CVE-2011-1521¶
The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
- CVE ID: CVE-2011-1521
- Published: 2011-05-24
- CVSS Score: 6.4
Timeline¶
Timeline using the disclosure date 2011-03-24 as reference:
- 2011-03-24: Python issue bpo-11662 reported by Guido van Rossum
- 2011-03-24: commit 60a4a90 (branch 2.5)
- 2011-03-29 (+5 days): commit a119df9 (branch 3.1)
- 2011-05-24 (+61 days): CVE-2011-1521 published
- 2011-05-28 (+65 days): Python 2.5.6 released
- 2011-06-04 (+72 days): Python 2.6.7 released
- 2011-06-11 (+79 days): Python 2.7.2 released
- 2011-06-11 (+79 days): Python 3.1.4 released
- 2011-07-09 (+107 days): Python 3.2.1 released
- 2012-09-29: Python 3.3.0 released