oss-sec mailing list archives

CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 24 Mar 2011 17:59:33 +0100


Hello Steve, vendors,

  A security flaw was found in the way handlers for ftp:// and
file:// URL schemes in the Python urllib and urllib2 extensible
libraries processed the urllib open URL request. A remote attacker
could use this flaw to access sensitive information or cause
a denial of service (excessive CPU and memory use) of a Python
web application, processing URLs, via a specially-crafted urllib
open URL request.

References:
[1] http://bugs.python.org/issue11662
[2] https://bugzilla.redhat.com/show_bug.cgi?id=690560

Could you allocate a CVE id for this?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes Jan Lieskovsky (Mar 24)
- Re: CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes Steven M. Christey (Mar 28)