22 lines
1.0 KiB
Plaintext
22 lines
1.0 KiB
Plaintext
$OpenBSD: patch-Lib_urllib2_py,v 1.1 2011/05/07 09:36:33 fgsch Exp $
|
|
--- Lib/urllib2.py.orig Fri May 6 01:06:34 2011
|
|
+++ Lib/urllib2.py Fri May 6 01:08:06 2011
|
|
@@ -555,6 +555,17 @@ class HTTPRedirectHandler(BaseHandler):
|
|
return
|
|
newurl = urlparse.urljoin(req.get_full_url(), newurl)
|
|
|
|
+ # For security reasons we do not allow redirects to protocols
|
|
+ # other than HTTP, HTTPS or FTP.
|
|
+ newurl_lower = newurl.lower()
|
|
+ if not (newurl_lower.startswith('http://') or
|
|
+ newurl_lower.startswith('https://') or
|
|
+ newurl_lower.startswith('ftp://')):
|
|
+ raise HTTPError(newurl, code,
|
|
+ msg + " - Redirection to url '%s' is not allowed" %
|
|
+ newurl,
|
|
+ headers, fp)
|
|
+
|
|
# XXX Probably want to forget about the state of the current
|
|
# request, although that might interact poorly with other
|
|
# handlers that also use handler-specific request attributes
|