I discovered, entirely by accident, that
urllib.urlretrieve, and probably others, will happily read
file:// urls and filesystem paths. For example:
>>> import urllib, urllib2 >>> urllib.urlretrieve("database_connection_settings.txt", "/tmp/temp_file") ('/tmp/temp_file', <mimetools.Message instance at 0x…>) >>> urllib2.urlopen("file:///dev/urandom").read(10) '\xf1r?\x0fC\x86p\x05\xa4\xdd'
This means that applications which blindly
urlopen untrusted URLs (for example, from RSS feeds) are potentially vulnerable to information disclosure and denial of service attacks.