$NetBSD: patch-ba,v 1.3 2011/03/28 15:58:15 drochner Exp $

Issue #11662 (CVE-2011-1521)

--- Lib/urllib.py.orig	2007-03-14 08:27:57.000000000 +0000
+++ Lib/urllib.py
@@ -638,10 +638,20 @@ class FancyURLopener(URLopener):
             newurl = headers['uri']
         else:
             return
-        void = fp.read()
-        fp.close()
+
         # In case the server sent a relative URL, join with original:
         newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP, HTTPS or FTP.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://') or
+		newurl_lower.startswith('ftp://')):
+            return
+
+        void = fp.read()
+        fp.close()
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):