[Python-checkins] cpython (2.5): Issue 22663: fix redirect vulnerability in urllib/urllib2.
guido.van.rossum
python-checkins at python.org
Tue Mar 29 22:10:55 CEST 2011
http://hg.python.org/cpython/rev/dd852a0f92d6
changeset: 69040:dd852a0f92d6
branch: 2.5
parent: 68801:f9763c363cc3
user: guido at google.com
date: Thu Mar 24 08:07:45 2011 -0700
summary:
Issue 22663: fix redirect vulnerability in urllib/urllib2.
files:
Lib/urllib.py | 13 +++++++++++--
Lib/urllib2.py | 7 +++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/Lib/urllib.py b/Lib/urllib.py
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -638,10 +638,19 @@
newurl = headers['uri']
else:
return
+
+ # In case the server sent a relative URL, join with original:
+ newurl = basejoin(self.type + ":" + url, newurl)
+
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP or HTTPS.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://')):
+ return
+
void = fp.read()
fp.close()
- # In case the server sent a relative URL, join with original:
- newurl = basejoin(self.type + ":" + url, newurl)
return self.open(newurl)
def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -555,6 +555,13 @@
return
newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP or HTTPS.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://')):
+ return
+
# XXX Probably want to forget about the state of the current
# request, although that might interact poorly with other
# handlers that also use handler-specific request attributes
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list