Issue 22663: fix redirect vulnerability in urllib/urllib2.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index 963187c..09ce8c5 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -638,10 +638,19 @@
newurl = headers['uri']
else:
return
- void = fp.read()
- fp.close()
+
# In case the server sent a relative URL, join with original:
newurl = basejoin(self.type + ":" + url, newurl)
+
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP or HTTPS.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://')):
+ return
+
+ void = fp.read()
+ fp.close()
return self.open(newurl)
def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 50d7aaf..db7ce81 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -555,6 +555,13 @@
return
newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ # For security reasons we do not allow redirects to protocols
+ # other than HTTP or HTTPS.
+ newurl_lower = newurl.lower()
+ if not (newurl_lower.startswith('http://') or
+ newurl_lower.startswith('https://')):
+ return
+
# XXX Probably want to forget about the state of the current
# request, although that might interact poorly with other
# handlers that also use handler-specific request attributes