blob: 061659d0a5ecce2bb88761781443c1860bd8d8d6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
$NetBSD: patch-bb,v 1.3 2011/03/28 15:58:15 drochner Exp $
Issue #11662 (CVE-2011-1521)
--- Lib/urllib2.py.orig 2008-04-22 21:17:18.000000000 +0000
+++ Lib/urllib2.py
@@ -555,6 +555,14 @@ class HTTPRedirectHandler(BaseHandler):
return
newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP, HTTPS or FTP.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://') or
+ newurl_lower.startswith('ftp://')):
+ return
+
# XXX Probably want to forget about the state of the current
# request, although that might interact poorly with other
# handlers that also use handler-specific request attributes
|