traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Issue 22663: fix redirect vulnerability in urllib/urllib2.

This commit is contained in:
guido@google.com 2011-03-24 08:07:45 -07:00
parent ce5d0e22fc
commit 60a4a90c8d
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Lib/urllib.py
View File

@ -638,10 +638,19 @@ class FancyURLopener(URLopener):
newurl = headers['uri'] newurl = headers['uri']
else: else:
return return
void = fp.read()
fp.close()
# In case the server sent a relative URL, join with original: # In case the server sent a relative URL, join with original:
newurl = basejoin(self.type + ":" + url, newurl) newurl = basejoin(self.type + ":" + url, newurl)
# For security reasons we do not allow redirects to protocols
# other than HTTP or HTTPS.
newurl_lower = newurl.lower()
if not (newurl_lower.startswith('http://') or
newurl_lower.startswith('https://')):
return
void = fp.read()
fp.close()
return self.open(newurl) return self.open(newurl)
def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):

7
Lib/urllib2.py
View File

@ -555,6 +555,13 @@ class HTTPRedirectHandler(BaseHandler):
return return
newurl = urlparse.urljoin(req.get_full_url(), newurl) newurl = urlparse.urljoin(req.get_full_url(), newurl)
# For security reasons we do not allow redirects to protocols
# other than HTTP or HTTPS.
newurl_lower = newurl.lower()
if not (newurl_lower.startswith('http://') or
newurl_lower.startswith('https://')):
return
# XXX Probably want to forget about the state of the current # XXX Probably want to forget about the state of the current
# request, although that might interact poorly with other # request, although that might interact poorly with other
# handlers that also use handler-specific request attributes # handlers that also use handler-specific request attributes