[Python-checkins] cpython (2.5): Issue 22663: fix redirect vulnerability in urllib/urllib2.

guido.van.rossum python-checkins at python.org
Tue Mar 29 22:10:55 CEST 2011 

http://hg.python.org/cpython/rev/dd852a0f92d6
changeset: 69040:dd852a0f92d6
branch: 2.5
parent: 68801:f9763c363cc3
user: guido at google.com
date: Thu Mar 24 08:07:45 2011 -0700
summary:
 Issue 22663: fix redirect vulnerability in urllib/urllib2.
files:
 Lib/urllib.py | 13 +++++++++++--
 Lib/urllib2.py | 7 +++++++
 2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/Lib/urllib.py b/Lib/urllib.py
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -638,10 +638,19 @@
 newurl = headers['uri']
 else:
 return
+
+ # In case the server sent a relative URL, join with original:
+ newurl = basejoin(self.type + ":" + url, newurl)
+
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP or HTTPS.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://')):
+ return
+
 void = fp.read()
 fp.close()
- # In case the server sent a relative URL, join with original:
- newurl = basejoin(self.type + ":" + url, newurl)
 return self.open(newurl)
 
 def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -555,6 +555,13 @@
 return
 newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP or HTTPS.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://')):
+ return
+
 # XXX Probably want to forget about the state of the current
 # request, although that might interact poorly with other
 # handlers that also use handler-specific request attributes
-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list

AltStyle によって変換されたページ (->オリジナル) /