http://hg.python.org/cpython/rev/dd852a0f92d6 changeset: 69040:dd852a0f92d6 branch: 2.5 parent: 68801:f9763c363cc3 user: guido@google.com date: Thu Mar 24 08:07:45 2011 -0700 summary: Issue 22663: fix redirect vulnerability in urllib/urllib2. files: Lib/urllib.py | 13 +++++++++++-- Lib/urllib2.py | 7 +++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/Lib/urllib.py b/Lib/urllib.py --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -638,10 +638,19 @@ newurl = headers['uri'] else: return + + # In case the server sent a relative URL, join with original: + newurl = basejoin(self.type + ":" + url, newurl) + + # For security reasons we do not allow redirects to protocols + # other than HTTP or HTTPS. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://')): + return + void = fp.read() fp.close() - # In case the server sent a relative URL, join with original: - newurl = basejoin(self.type + ":" + url, newurl) return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/Lib/urllib2.py b/Lib/urllib2.py --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -555,6 +555,13 @@ return newurl = urlparse.urljoin(req.get_full_url(), newurl) + # For security reasons we do not allow redirects to protocols + # other than HTTP or HTTPS. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://')): + return + # XXX Probably want to forget about the state of the current # request, although that might interact poorly with other # handlers that also use handler-specific request attributes -- Repository URL: http://hg.python.org/cpython