|
1 | | -''' Example dangerous usage of urllib[2] opener functions |
| 1 | +''' Example dangerous usage of urllib.request opener functions |
2 | 2 |
|
3 | | -The urllib and urllib2 opener functions and object can open http, ftp, |
| 3 | +The urllib.request opener functions and object can open http, ftp, |
4 | 4 | and file urls. Often, the ability to open file urls is overlooked leading |
5 | 5 | to code that can unexpectedly open files on the local server. This |
6 | 6 | could be used by an attacker to leak information about the server. |
7 | 7 | ''' |
8 | 8 |
|
9 | | - |
10 | | -import urllib |
11 | | -import urllib2 |
12 | | - |
13 | 9 | # Python 3 |
14 | 10 | import urllib.request |
15 | 11 |
|
16 | 12 | # Six |
17 | 13 | import six |
18 | 14 |
|
19 | 15 | def test_urlopen(): |
20 | | - # urllib |
21 | | - url = urllib.quote('file:///bin/ls') |
22 | | - urllib.urlopen(url, 'blah', 32) |
23 | | - urllib.urlretrieve('file:///bin/ls', '/bin/ls2') |
24 | | - opener = urllib.URLopener() |
25 | | - opener.open('file:///bin/ls') |
26 | | - opener.retrieve('file:///bin/ls') |
27 | | - opener = urllib.FancyURLopener() |
28 | | - opener.open('file:///bin/ls') |
29 | | - opener.retrieve('file:///bin/ls') |
30 | | - |
31 | | - # urllib2 |
32 | | - handler = urllib2.HTTPBasicAuthHandler() |
33 | | - handler.add_password(realm='test', |
34 | | - uri='http://mysite.com', |
35 | | - user='bob') |
36 | | - opener = urllib2.build_opener(handler) |
37 | | - urllib2.install_opener(opener) |
38 | | - urllib2.urlopen('file:///bin/ls') |
39 | | - urllib2.Request('file:///bin/ls') |
40 | | - |
41 | 16 | # Python 3 |
42 | 17 | urllib.request.urlopen('file:///bin/ls') |
43 | 18 | urllib.request.urlretrieve('file:///bin/ls', '/bin/ls2') |
|
0 commit comments