Issue 22663: fix redirect vulnerability in urllib/urllib2.

2025-11-25 12:44:13 +00:00 · 2011-03-24 08:07:45 -07:00 · 2011-03-24 08:07:45 -07:00 · 60a4a90c8d
commit 60a4a90c8d
parent ce5d0e22fc
2 changed files with 18 additions and 2 deletions
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@ -555,6 +555,13 @@ class HTTPRedirectHandler(BaseHandler):
            return
        newurl = urlparse.urljoin(req.get_full_url(), newurl)

+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
        # XXX Probably want to forget about the state of the current
        # request, although that might interact poorly with other
        # handlers that also use handler-specific request attributes