~ubuntu-branches/ubuntu/wily/bandit/wily-proposed

« back to all changes in this revision

Viewing changes to examples/urlopen.py

• browse files at revision 1
• compare with another revision
• download diff
• download tarball
• view history from revision 1

Show diffs side-by-side

added

removed

examples/urlopen.py

 

1

''' Example dangerous usage of urllib[2] opener functions

 

2

 

 

3

The urllib and urllib2 opener functions and object can open http, ftp,

 

4

and file urls. Often, the abilit to open file urls is overlooked leading

 

5

to code that can unexpectedly open files on the local server. This

 

6

could be used by an attacker to leak information about the server.

 

7

'''

 

8

 

 

9

 

 

10

import urllib

 

11

import urllib2

 

12

 

 

13

def test_urlopen():

 

14

    # urllib

 

15

    url = urllib.quote('file:///bin/ls')

 

16

    urllib.urlopen(url, 'blah', 32)

 

17

    urllib.urlretrieve('file:///bin/ls', '/bin/ls2')

 

18

    opener = urllib.URLopener()

 

19

    opener.open('file:///bin/ls')

 

20

    opener.retrieve('file:///bin/ls')

 

21

    opener = urllib.FancyURLopener()

 

22

    opener.open('file:///bin/ls')

 

23

    opener.retrieve('file:///bin/ls')

 

24

 

 

25

    # urllib2

 

26

    handler = urllib2.HTTPBasicAuthHandler()

 

27

    handler.add_password(realm='test',

 

28

                         uri='http://mysite.com',

 

29

                         user='bob',

 

30

                         passwd='blah')

 

31

    opener = urllib2.build_opener(handler)

 

32

    urllib2.install_opener(opener)

 

33

    urllib2.urlopen('file:///bin/ls')

 

34

    urllib2.Request('file:///bin/ls')

• Older »

Loggerhead is a web-based interface for Breezy
Version: 2.0.1