urllib redirect

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes.

Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes.

Dates:

  • Disclosure date: 2011-03-24 (Python issue bpo-11662 reported)
  • Reported by: email received on the Python security list

Fixed In

Python issue

Redirect vulnerability in urllib/urllib2.

  • Python issue: bpo-11662
  • Creation date: 2011-03-24
  • Reporter: Guido van Rossum

CVE-2011-1521

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

Timeline

Timeline using the disclosure date 2011-03-24 as reference:

  • 2011-03-24: Python issue bpo-11662 reported by Guido van Rossum
  • 2011-03-24: commit 60a4a90 (branch 2.5)
  • 2011-03-29 (+5 days): commit a119df9 (branch 3.1)
  • 2011-05-24 (+61 days): CVE-2011-1521 published
  • 2011-05-28 (+65 days): Python 2.5.6 released
  • 2011-06-04 (+72 days): Python 2.6.7 released
  • 2011-06-11 (+79 days): Python 2.7.2 released
  • 2011-06-11 (+79 days): Python 3.1.4 released
  • 2011-07-09 (+107 days): Python 3.2.1 released
  • 2012-09-29: Python 3.3.0 released