Issue 11662: Fix vulnerability in urllib/urllib2.

(This version is a cleaned-up backport of a fix by Senthil Kumaran.)
2025-08-03 08:34:29 +00:00 · 2011-03-29 11:41:02 -07:00 · 2011-03-29 11:41:02 -07:00 · a119df91f3
commit a119df91f3
parent b938c8c253
5 changed files with 74 additions and 0 deletions
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@ -528,6 +528,17 @@ class HTTPRedirectHandler(BaseHandler):

        # fix a possible malformed URL
        urlparts = urlparse(newurl)
+
+        # For security reasons we don't allow redirection to anything other
+        # than http, https or ftp.
+
+        if not urlparts.scheme in ('http', 'https', 'ftp'):
+            raise HTTPError(newurl, code,
+                            msg +
+                            " - Redirection to url '%s' is not allowed" %
+                            newurl,
+                            headers, fp)
+
        if not urlparts.path:
            urlparts = list(urlparts)
            urlparts[2] = "/"
@ -1864,8 +1875,24 @@ class FancyURLopener(URLopener):
            return
        void = fp.read()
        fp.close()
+
        # In case the server sent a relative URL, join with original:
        newurl = urljoin(self.type + ":" + url, newurl)
+
+        urlparts = urlparse(newurl)
+
+        # For security reasons, we don't allow redirection to anything other
+        # than http, https and ftp.
+
+        # We are using newer HTTPError with older redirect_internal method
+        # This older method will get deprecated in 3.3
+
+        if not urlparts.scheme in ('http', 'https', 'ftp'):
+            raise HTTPError(newurl, errcode,
+                            errmsg +
+                            " Redirection to url '%s' is not allowed." % newurl,
+                            headers, fp)
+
        return self.open(newurl)

    def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):