[New-bugs-announce] [issue7920] urllib2.HTTPRedirectHandler incorrect redirect
Andres Riancho
report at bugs.python.org
Fri Feb 12 22:44:44 CET 2010
New submission from Andres Riancho <andresriancho at users.sourceforge.net>:
Buggy code:
"""
if 'location' in headers:
newurl = headers.getheaders('location')[0]
elif 'uri' in headers:
newurl = headers.getheaders('uri')[0]
else:
return
newurl = urlparse.urljoin(req.get_full_url(), newurl)
"""
You might end up being redirected to some "strange" location if for some reason the value of "location" is C:\boot.ini, and you urlparse.urljoin the current URL with that one, you end up with C:\boot.ini . When the urllib2 library opens that, it will open a local file. What I did to fix it, is to verify that the protocol of the newurl is http or https.
"""
correct_protocol = newurl.startswith('http://') or newurl.startswith('https://')
if not correct_protocol:
return
"""
The fix should be applied just below the dangerous urlparse.urljoin.
----------
components: Library (Lib)
messages: 99292
nosy: andresriancho
severity: normal
status: open
title: urllib2.HTTPRedirectHandler incorrect redirect
versions: Python 2.5, Python 2.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue7920>
_______________________________________
More information about the New-bugs-announce
mailing list