diff -r c8701b9256cf -r a9b05b89ea39 Doc/library/urllib.request.rst --- a/Doc/library/urllib.request.rst Tue Mar 29 13:00:28 2011 -0700 +++ b/Doc/library/urllib.request.rst Tue Mar 29 15:08:00 2011 -0400 @@ -650,10 +650,6 @@ is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the precise meanings of the various redirection codes. - An :class:`HTTPError` exception raised as a security consideration if the - HTTPRedirectHandler is presented with a redirected url which is not an HTTP, - HTTPS or FTP url. - .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl) diff -r c8701b9256cf -r a9b05b89ea39 Lib/test/test_urllib.py --- a/Lib/test/test_urllib.py Tue Mar 29 13:00:28 2011 -0700 +++ b/Lib/test/test_urllib.py Tue Mar 29 15:08:00 2011 -0400 @@ -2,7 +2,6 @@ import urllib.parse import urllib.request -import urllib.error import http.client import email.message import io @@ -207,21 +206,6 @@ finally: self.unfakehttp() - def test_invalid_redirect(self): - # urlopen() should raise IOError for many error codes. - self.fakehttp(b'''HTTP/1.1 302 Found -Date: Wed, 02 Jan 2008 03:03:54 GMT -Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e -Location: file://guidocomputer.athome.com:/python/license -Connection: close -Content-Type: text/html; charset=iso-8859-1 -''') - try: - self.assertRaises(urllib.error.HTTPError, urlopen, - "http://python.org/") - finally: - self.unfakehttp() - def test_empty_socket(self): # urlopen() raises IOError if the underlying socket does not send any # data. (#1680230) diff -r c8701b9256cf -r a9b05b89ea39 Lib/test/test_urllib2.py --- a/Lib/test/test_urllib2.py Tue Mar 29 13:00:28 2011 -0700 +++ b/Lib/test/test_urllib2.py Tue Mar 29 15:08:00 2011 -0400 @@ -10,7 +10,6 @@ # The proxy bypass method imported below has logic specific to the OSX # proxy config data structure but is testable on all platforms. from urllib.request import Request, OpenerDirector, _proxy_bypass_macosx_sysconf -import urllib.error # XXX # Request @@ -1032,29 +1031,6 @@ self.assertEqual(count, urllib.request.HTTPRedirectHandler.max_redirections) - - def test_invalid_redirect(self): - from_url = "http://example.com/a.html" - valid_schemes = ['http','https','ftp'] - invalid_schemes = ['file','imap','ldap'] - schemeless_url = "example.com/b.html" - h = urllib.request.HTTPRedirectHandler() - o = h.parent = MockOpener() - req = Request(from_url) - req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT - - for scheme in invalid_schemes: - invalid_url = scheme + '://' + schemeless_url - self.assertRaises(urllib.error.HTTPError, h.http_error_302, - req, MockFile(), 302, "Security Loophole", - MockHeaders({"location": invalid_url})) - - for scheme in valid_schemes: - valid_url = scheme + '://' + schemeless_url - h.http_error_302(req, MockFile(), 302, "That's fine", - MockHeaders({"location": valid_url})) - self.assertEqual(o.req.get_full_url(), valid_url) - def test_cookie_redirect(self): # cookies shouldn't leak into redirected requests from http.cookiejar import CookieJar diff -r c8701b9256cf -r a9b05b89ea39 Lib/urllib/request.py --- a/Lib/urllib/request.py Tue Mar 29 13:00:28 2011 -0700 +++ b/Lib/urllib/request.py Tue Mar 29 15:08:00 2011 -0400 @@ -545,17 +545,6 @@ # fix a possible malformed URL urlparts = urlparse(newurl) - - # For security reasons we don't allow redirection to anything other - # than http, https or ftp. - - if not urlparts.scheme in ('http', 'https', 'ftp'): - raise HTTPError(newurl, code, - msg + - " - Redirection to url '%s' is not allowed" % - newurl, - headers, fp) - if not urlparts.path: urlparts = list(urlparts) urlparts[2] = "/" @@ -1914,24 +1903,8 @@ return void = fp.read() fp.close() - # In case the server sent a relative URL, join with original: newurl = urljoin(self.type + ":" + url, newurl) - - urlparts = urlparse(newurl) - - # For security reasons, we don't allow redirection to anything other - # than http, https and ftp. - - # We are using newer HTTPError with older redirect_internal method - # This older method will get deprecated in 3.3 - - if not urlparts.scheme in ('http', 'https', 'ftp'): - raise HTTPError(newurl, errcode, - errmsg + - " Redirection to url '%s' is not allowed." % newurl, - headers, fp) - return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff -r c8701b9256cf -r a9b05b89ea39 Misc/NEWS --- a/Misc/NEWS Tue Mar 29 13:00:28 2011 -0700 +++ b/Misc/NEWS Tue Mar 29 15:08:00 2011 -0400 @@ -139,9 +139,6 @@ - Issue #11666: let help() display named tuple attributes and methods that start with a leading underscore. -- Issue #11662: Make urllib and urllib2 ignore redirections if the - scheme is not HTTP, HTTPS or FTP (CVE-2011-1521). - - Issue #5537: Fix time2isoz() and time2netscape() functions of httplib.cookiejar for expiration year greater than 2038 on 32-bit systems. diff -r c8701b9256cf -r a9b05b89ea39 setup.py --- a/setup.py Tue Mar 29 13:00:28 2011 -0700 +++ b/setup.py Tue Mar 29 15:08:00 2011 -0400 @@ -370,12 +370,33 @@ return platform return sys.platform + def add_multiarch_paths(self): + # Debian/Ubuntu multiarch support. + # https://wiki.ubuntu.com/MultiarchSpec + # self.build_temp + tmpfile = os.path.join(self.build_temp, 'multiarch') + if not os.path.exists(self.build_temp): + os.makedirs(self.build_temp) + ret = os.system('dpkg-architecture -qDEB_HOST_MULTIARCH > %s' % + tmpfile) + try: + if ret >> 8 == 0: + with open(tmpfile) as fp: + multiarch_path_component = fp.readline().strip() + add_dir_to_list(self.compiler.library_dirs, + '/usr/lib/' + multiarch_path_component) + add_dir_to_list(self.compiler.include_dirs, + '/usr/include/' + multiarch_path_component) + finally: + os.unlink(tmpfile) + def detect_modules(self): # Ensure that /usr/local is always used, but the local build # directories (i.e. '.' and 'Include') must be first. See issue # 10520. add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib') add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') + self.add_multiarch_paths() # Add paths specified in the environment variables LDFLAGS and # CPPFLAGS for header and library files.