diff -r f9763c363cc3 -r ca3b117c40f3 Lib/urllib.py --- a/Lib/urllib.py Mon Mar 21 10:30:07 2011 +0100 +++ b/Lib/urllib.py Thu Mar 24 10:44:17 2011 -0700 @@ -638,10 +638,20 @@ newurl = headers['uri'] else: return + + # In case the server sent a relative URL, join with original: + newurl = basejoin(self.type + ":" + url, newurl) + + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + return + void = fp.read() fp.close() - # In case the server sent a relative URL, join with original: - newurl = basejoin(self.type + ":" + url, newurl) return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff -r f9763c363cc3 -r ca3b117c40f3 Lib/urllib2.py --- a/Lib/urllib2.py Mon Mar 21 10:30:07 2011 +0100 +++ b/Lib/urllib2.py Thu Mar 24 10:44:17 2011 -0700 @@ -555,6 +555,14 @@ return newurl = urlparse.urljoin(req.get_full_url(), newurl) + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + return + # XXX Probably want to forget about the state of the current # request, although that might interact poorly with other # handlers that also use handler-specific request attributes diff -r f9763c363cc3 -r ca3b117c40f3 Misc/NEWS --- a/Misc/NEWS Mon Mar 21 10:30:07 2011 +0100 +++ b/Misc/NEWS Thu Mar 24 10:44:17 2011 -0700 @@ -12,6 +12,9 @@ Library ------- +- Issue #11662: Make urllib and urllib2 ignore redirections if the + scheme is not HTTP, HTTPS or FTP. This fixes a security hole. + - Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing overflow checks in the audioop module (CVE-2010-1634).