Merge issue 11662 from 2.6.

2025-08-18 07:41:05 +00:00 · 2011-03-29 12:53:55 -07:00 · 2011-03-29 12:53:55 -07:00 · 07ef62c47c
commit 07ef62c47c
parent 3c599bdbd1 079381d236
5 changed files with 61 additions and 0 deletions
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@ -578,6 +578,17 @@ class HTTPRedirectHandler(BaseHandler):

        newurl = urlparse.urljoin(req.get_full_url(), newurl)

+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP, HTTPS or FTP.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
+            raise HTTPError(newurl, code,
+                            msg + " - Redirection to url '%s' is not allowed" %
+                            newurl,
+                            headers, fp)
+
        # XXX Probably want to forget about the state of the current
        # request, although that might interact poorly with other
        # handlers that also use handler-specific request attributes