[issue7920] urllib2.HTTPRedirectHandler incorrect redirect

Andres Riancho report at bugs.python.org
Fri Feb 12 22:44:45 CET 2010

New submission from Andres Riancho <andresriancho at users.sourceforge.net>:

Buggy code:

        if 'location' in headers:
            newurl = headers.getheaders('location')[0]
        elif 'uri' in headers:
            newurl = headers.getheaders('uri')[0]
        newurl = urlparse.urljoin(req.get_full_url(), newurl)

You might end up being redirected to some "strange" location if for some reason the value of "location" is C:\boot.ini, and you urlparse.urljoin the current URL with that one, you end up with C:\boot.ini . When the urllib2 library opens that, it will open a local file. What I did to fix it, is to verify that the protocol of the newurl is http or https.

        correct_protocol = newurl.startswith('http://')  or newurl.startswith('https://') 
        if not correct_protocol:


The fix should be applied just below the dangerous urlparse.urljoin.

components: Library (Lib)
messages: 99292
nosy: andresriancho
severity: normal
status: open
title: urllib2.HTTPRedirectHandler incorrect redirect
versions: Python 2.5, Python 2.6

Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list