classification
Title: [urllib.request.HTTPRedirectHandler.http_error_302] Relative Redirect issue
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.2, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: CRicky, gvanrossum, orsenthil, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2012-01-02 18:40 by CRicky, last changed 2012-01-04 07:26 by orsenthil. This issue is now closed.

Files
File name Uploaded Description Edit
13696.diff orsenthil, 2012-01-04 05:59
Messages (5)
msg150473 - (view) Author: CRicky (CRicky) Date: 2012-01-02 18:40
I had an HTTP redirection that worked perfectly on version 3.1.

On version 3.2, I get a HTTP error 302. In this redirection, I actually have 2 redirections. The last one does not work because it is a relative redirection, so urlparts.scheme is empty.

Some lines have been added in version 3.2 for security reason, but it also blocks relative links in 302 return.

To correct, I have added empty scheme in check:
        if not urlparts.scheme in ('http', 'https', 'ftp', ''):

With that, it works correctly.
I don't make you any for 3 new chars. ;)

Best regards,
CRicky
msg150504 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-01-03 15:36
CRicky's proposed changed looks reasonable to me - although it would be better with a unit test too :)
msg150521 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2012-01-03 18:10
(This is in reference to issue 11662.)

I can't think of a way that this proposed change would bring back the original vulnerability, so go ahead.
msg150591 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2012-01-04 05:59
Here is the patch against 3.2. Something is wrong with the mercurial at the moment where 3.2 is shown as inactive. Once that is corrected, I shall commit and push this to 3.2 and cpython codelines.

This bug is not present in 2.7 as different logic is followed in there.
msg150593 - (view) Author: Roundup Robot (python-dev) Date: 2012-01-04 06:47
New changeset 86141d28b20d by Senthil Kumaran in branch '3.2':
Issue13696 - Fix 302 Redirection for Relative urls.
http://hg.python.org/cpython/rev/86141d28b20d
History
Date User Action Args
2016-07-31 03:38:24martin.panterlinkissue13651 superseder
2015-04-11 06:35:18martin.panterlinkissue12275 superseder
2015-04-11 06:33:59martin.panterlinkissue14767 superseder
2012-01-04 07:26:30orsenthilsetstatus: open -> closed
resolution: fixed
stage: test needed -> resolved
2012-01-04 06:47:45python-devsetnosy: + python-dev
messages: + msg150593
2012-01-04 05:59:29orsenthilsetfiles: + 13696.diff
keywords: + patch
messages: + msg150591
2012-01-03 18:10:44gvanrossumsetmessages: + msg150521
2012-01-03 15:36:56pitrousetnosy: + pitrou, gvanrossum
messages: + msg150504
2012-01-03 03:50:09meador.ingesetnosy: + orsenthil
stage: test needed

versions: + Python 3.3
2012-01-02 18:40:30CRickycreate