Commits

Anonymous committed ca3b117

Add FTP to the allowed url schemes. Add Misc/NEWS.

  • Participants
  • Parent commits dd852a0
  • Branches 2.5

Comments (0)

Files changed (3)

File Lib/urllib.py

         newurl = basejoin(self.type + ":" + url, newurl)
 
         # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
         newurl_lower = newurl.lower()
         if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
             return
 
         void = fp.read()

File Lib/urllib2.py

         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
         # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
         newurl_lower = newurl.lower()
         if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
             return
 
         # XXX Probably want to forget about the state of the current
 Library
 -------
 
+- Issue #11662: Make urllib and urllib2 ignore redirections if the
+  scheme is not HTTP, HTTPS or FTP.  This fixes a security hole.
+
 - Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
   overflow checks in the audioop module (CVE-2010-1634).