23 lines
1002 B
Plaintext
23 lines
1002 B
Plaintext
$OpenBSD: patch-Lib_urllib_py,v 1.1 2011/05/07 09:36:33 fgsch Exp $
|
|
--- Lib/urllib.py.orig Fri May 6 01:06:34 2011
|
|
+++ Lib/urllib.py Fri May 6 01:08:05 2011
|
|
@@ -642,6 +642,18 @@ class FancyURLopener(URLopener):
|
|
fp.close()
|
|
# In case the server sent a relative URL, join with original:
|
|
newurl = basejoin(self.type + ":" + url, newurl)
|
|
+
|
|
+ # For security reasons we do not allow redirects to protocols
|
|
+ # other than HTTP, HTTPS or FTP.
|
|
+ newurl_lower = newurl.lower()
|
|
+ if not (newurl_lower.startswith('http://') or
|
|
+ newurl_lower.startswith('https://') or
|
|
+ newurl_lower.startswith('ftp://')):
|
|
+ raise IOError('redirect error', errcode,
|
|
+ errmsg + " - Redirection to url '%s' is not allowed" %
|
|
+ newurl,
|
|
+ headers)
|
|
+
|
|
return self.open(newurl)
|
|
|
|
def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
|