lang/python25/patches/patch-ba


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

$NetBSD: patch-ba,v 1.3 2011/03/28 15:58:15 drochner Exp $

Issue #11662 (CVE-2011-1521)

--- Lib/urllib.py.orig	2007-03-14 08:27:57.000000000 +0000
+++ Lib/urllib.py
@@ -638,10 +638,20 @@ class FancyURLopener(URLopener):
             newurl = headers['uri']
         else:
             return
-        void = fp.read()
-        fp.close()
+
         # In case the server sent a relative URL, join with original:
         newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP, HTTPS or FTP.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://') or
+		newurl_lower.startswith('ftp://')):
+            return
+
+        void = fp.read()
+        fp.close()
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):