1
''' Example dangerous usage of urllib[2] opener functions
3
The urllib and urllib2 opener functions and object can open http, ftp,
4
and file urls. Often, the abilit to open file urls is overlooked leading
5
to code that can unexpectedly open files on the local server. This
6
could be used by an attacker to leak information about the server.
15
url = urllib.quote('file:///bin/ls')
16
urllib.urlopen(url, 'blah', 32)
17
urllib.urlretrieve('file:///bin/ls', '/bin/ls2')
18
opener = urllib.URLopener()
19
opener.open('file:///bin/ls')
20
opener.retrieve('file:///bin/ls')
21
opener = urllib.FancyURLopener()
22
opener.open('file:///bin/ls')
23
opener.retrieve('file:///bin/ls')
26
handler = urllib2.HTTPBasicAuthHandler()
27
handler.add_password(realm='test',
28
uri='http://mysite.com',
31
opener = urllib2.build_opener(handler)
32
urllib2.install_opener(opener)
33
urllib2.urlopen('file:///bin/ls')
34
urllib2.Request('file:///bin/ls')