[Python-checkins] cpython (2.5): Add FTP to the allowed url schemes. Add Misc/NEWS.
guido.van.rossum
python-checkins at python.org
Tue Mar 29 22:10:56 CEST 2011
http://hg.python.org/cpython/rev/ca3b117c40f3
changeset: 69041:ca3b117c40f3
branch: 2.5
user: guido at google.com
date: Thu Mar 24 10:44:17 2011 -0700
summary:
Add FTP to the allowed url schemes. Add Misc/NEWS.
files:
Lib/urllib.py | 5 +++--
Lib/urllib2.py | 5 +++--
Misc/NEWS | 3 +++
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/Lib/urllib.py b/Lib/urllib.py
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -643,10 +643,11 @@
newurl = basejoin(self.type + ":" + url, newurl)
# For security reasons we do not allow redirects to protocols
- # other than HTTP or HTTPS.
+ # other than HTTP, HTTPS or FTP.
newurl_lower = newurl.lower()
if not (newurl_lower.startswith('http://') or
- newurl_lower.startswith('https://')):
+ newurl_lower.startswith('https://') or
+ newurl_lower.startswith('ftp://')):
return
void = fp.read()
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -556,10 +556,11 @@
newurl = urlparse.urljoin(req.get_full_url(), newurl)
# For security reasons we do not allow redirects to protocols
- # other than HTTP or HTTPS.
+ # other than HTTP, HTTPS or FTP.
newurl_lower = newurl.lower()
if not (newurl_lower.startswith('http://') or
- newurl_lower.startswith('https://')):
+ newurl_lower.startswith('https://') or
+ newurl_lower.startswith('ftp://')):
return
# XXX Probably want to forget about the state of the current
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,9 @@
Library
-------
+- Issue #11662: Make urllib and urllib2 ignore redirections if the
+ scheme is not HTTP, HTTPS or FTP. This fixes a security hole.
+
- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
overflow checks in the audioop module (CVE-2010-1634).
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list