From the upstream bug at $URL: description: -------------------- The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes. Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes. Examples on how this could turn bad: 1) File disclosure: A web application, that normally fetches and displays a web page, is redirected to file:///etc/passwd and discloses it. 2) Denial of Service: An application is redirected to a system device (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk usage.
CVE-2011-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1521): The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Covered by GLSA 201401-04 Closing as fixed