Kaydet (Commit) 6497aa3e authored tarafından Senthil Kumaran's avatar Senthil Kumaran

Issue13696 - Fix 302 Redirection for Relative urls.

üst b7ffed8a
...@@ -1059,6 +1059,19 @@ class HandlerTests(unittest.TestCase): ...@@ -1059,6 +1059,19 @@ class HandlerTests(unittest.TestCase):
MockHeaders({"location": valid_url})) MockHeaders({"location": valid_url}))
self.assertEqual(o.req.get_full_url(), valid_url) self.assertEqual(o.req.get_full_url(), valid_url)
def test_relative_redirect(self):
from_url = "http://example.com/a.html"
relative_url = "/b.html"
h = urllib.request.HTTPRedirectHandler()
o = h.parent = MockOpener()
req = Request(from_url)
req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
valid_url = urllib.parse.urljoin(from_url,relative_url)
h.http_error_302(req, MockFile(), 302, "That's fine",
MockHeaders({"location": valid_url}))
self.assertEqual(o.req.get_full_url(), valid_url)
def test_cookie_redirect(self): def test_cookie_redirect(self):
# cookies shouldn't leak into redirected requests # cookies shouldn't leak into redirected requests
from http.cookiejar import CookieJar from http.cookiejar import CookieJar
......
...@@ -552,7 +552,7 @@ class HTTPRedirectHandler(BaseHandler): ...@@ -552,7 +552,7 @@ class HTTPRedirectHandler(BaseHandler):
# For security reasons we don't allow redirection to anything other # For security reasons we don't allow redirection to anything other
# than http, https or ftp. # than http, https or ftp.
if urlparts.scheme not in ('http', 'https', 'ftp'): if urlparts.scheme not in ('http', 'https', 'ftp', ''):
raise HTTPError( raise HTTPError(
newurl, code, newurl, code,
"%s - Redirection to url '%s' is not allowed" % (msg, newurl), "%s - Redirection to url '%s' is not allowed" % (msg, newurl),
...@@ -1935,7 +1935,7 @@ class FancyURLopener(URLopener): ...@@ -1935,7 +1935,7 @@ class FancyURLopener(URLopener):
# We are using newer HTTPError with older redirect_internal method # We are using newer HTTPError with older redirect_internal method
# This older method will get deprecated in 3.3 # This older method will get deprecated in 3.3
if urlparts.scheme not in ('http', 'https', 'ftp'): if urlparts.scheme not in ('http', 'https', 'ftp', ''):
raise HTTPError(newurl, errcode, raise HTTPError(newurl, errcode,
errmsg + errmsg +
" Redirection to url '%s' is not allowed." % newurl, " Redirection to url '%s' is not allowed." % newurl,
......
...@@ -97,6 +97,8 @@ Core and Builtins ...@@ -97,6 +97,8 @@ Core and Builtins
Library Library
------- -------
- Issue #13696: Fix the 302 Relative URL Redirection problem.
- Issue #13636: Weak ciphers are now disabled by default in the ssl module - Issue #13636: Weak ciphers are now disabled by default in the ssl module
(except when SSLv2 is explicitly asked for). (except when SSLv2 is explicitly asked for).
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment