blob: 1af34378a99ef7e0aa348c3bff52c90f5d7a0a8e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $
Issue #11662 (CVE-2011-1521)
--- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000
+++ Lib/urllib2.py
@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler):
newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP, HTTPS or FTP.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://') or
+ newurl_lower.startswith('ftp://')):
+ return
+
# XXX Probably want to forget about the state of the current
# request, although that might interact poorly with other
# handlers that also use handler-specific request attributes
|
