Issue 22663: fix redirect vulnerability in urllib/urllib2.

60a4a90c · guido@google.com · ce5d0e22 · 60a4a90c · 60a4a90c
Kaydet (Commit) 60a4a90c authored Mar 24, 2011 tarafından guido@google.com
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

urllib.py Lib/urllib.py +11 -2

urllib2.py Lib/urllib2.py +7 -0

No files found.
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -638,10 +638,19 @@ class FancyURLopener(URLopener):
            newurl = headers['uri']
        else:
            return
-        void = fp.read()
-        fp.close()
+
        # In case the server sent a relative URL, join with original:
        newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
+        void = fp.read()
+        fp.close()
        return self.open(newurl)

    def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):

--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -555,6 +555,13 @@ class HTTPRedirectHandler(BaseHandler):
            return
        newurl = urlparse.urljoin(req.get_full_url(), newurl)

+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
        # XXX Probably want to forget about the state of the current
        # request, although that might interact poorly with other
        # handlers that also use handler-specific request attributes