[Python-checkins] r88819 - in python/branches/release25-maint/Lib: urllib.py urllib2.py

martin.v.loewis python-checkins at python.org
Sun Apr 17 22:38:14 CEST 2011 

Author: martin.v.loewis
Date: Sun Apr 17 22:38:14 2011
New Revision: 88819

Log:
hg dd852a0f92d6 by guido at google.com
Issue 22663: fix redirect vulnerability in urllib/urllib2.


Modified:
   python/branches/release25-maint/Lib/urllib.py
   python/branches/release25-maint/Lib/urllib2.py

Modified: python/branches/release25-maint/Lib/urllib.py
==============================================================================
--- python/branches/release25-maint/Lib/urllib.py	(original)
+++ python/branches/release25-maint/Lib/urllib.py	Sun Apr 17 22:38:14 2011
@@ -638,10 +638,19 @@
             newurl = headers['uri']
         else:
             return
-        void = fp.read()
-        fp.close()
+
         # In case the server sent a relative URL, join with original:
         newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
+        void = fp.read()
+        fp.close()
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):

Modified: python/branches/release25-maint/Lib/urllib2.py
==============================================================================
--- python/branches/release25-maint/Lib/urllib2.py	(original)
+++ python/branches/release25-maint/Lib/urllib2.py	Sun Apr 17 22:38:14 2011
@@ -555,6 +555,13 @@
             return
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
         # XXX Probably want to forget about the state of the current
         # request, although that might interact poorly with other
         # handlers that also use handler-specific request attributes

More information about the Python-checkins mailing list