Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/urllib-redirect.html below:

urllib redirect — Python Security 0.0 documentation

The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes.

Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes.

Dates:

• Disclosure date: 2011-03-24 (Python issue bpo-11662 reported)

• Reported by: email received on the Python security list

• Python 2.5.6 (2011-05-28) fixed by commit 60a4a90 (branch 2.5) (2011-03-24)

• Python 2.6.7 (2011-06-04) fixed by commit 60a4a90 (branch 2.5) (2011-03-24)

• Python 2.7.2 (2011-06-11) fixed by commit 60a4a90 (branch 2.5) (2011-03-24)

• Python 3.1.4 (2011-06-11) fixed by commit a119df9 (branch 3.1) (2011-03-29)

• Python 3.2.1 (2011-07-09) fixed by commit a119df9 (branch 3.1) (2011-03-29)

• Python 3.3.0 (2012-09-29) fixed by commit a119df9 (branch 3.1) (2011-03-29)

Redirect vulnerability in urllib/urllib2.

• Python issue: bpo-11662

• Creation date: 2011-03-24

• Reporter: Guido van Rossum

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

• CVE ID: CVE-2011-1521

• Published: 2011-05-24

• CVSS Score: 6.4

Timeline using the disclosure date 2011-03-24 as reference:

• 2011-03-24: Python issue bpo-11662 reported by Guido van Rossum

• 2011-03-24: commit 60a4a90 (branch 2.5)

• 2011-03-29 (+5 days): commit a119df9 (branch 3.1)

• 2011-05-24 (+61 days): CVE-2011-1521 published

• 2011-05-28 (+65 days): Python 2.5.6 released

• 2011-06-04 (+72 days): Python 2.6.7 released

• 2011-06-11 (+79 days): Python 2.7.2 released

• 2011-06-11 (+79 days): Python 3.1.4 released

• 2011-07-09 (+107 days): Python 3.2.1 released

• 2012-09-29: Python 3.3.0 released

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4