Commits

Anonymous committed dd852a0

Issue 22663: fix redirect vulnerability in urllib/urllib2.

  • Participants
  • Parent commits f9763c3
  • Branches 2.5

Comments (0)

Files changed (2)

File Lib/urllib.py

             newurl = headers['uri']
         else:
             return
+
+        # In case the server sent a relative URL, join with original:
+        newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
         void = fp.read()
         fp.close()
-        # In case the server sent a relative URL, join with original:
-        newurl = basejoin(self.type + ":" + url, newurl)
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):

File Lib/urllib2.py

             return
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
         # XXX Probably want to forget about the state of the current
         # request, although that might interact poorly with other
         # handlers that also use handler-specific request attributes