commit f1509306d266a091c6c12ec3b78b8eaaa9d0aff9
author guido@google.com <guido@google.com> Mon Mar 28 13:47:01 2011 -0700
committer guido@google.com <guido@google.com> Mon Mar 28 13:47:01 2011 -0700
tree 7cb0b25ae654a3806a121795831f8011927cdd23
parent 2bc23b8448394e96d5562fcc7b69aa54bb2c1a38

Add tests for the urllib[2] vulnerability. Change to raise exceptions.

Lib/urllib.py

diff --git a/Lib/urllib.py b/Lib/urllib.py
index b835f52..97597f4 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -638,7 +638,8 @@
             newurl = headers['uri']
         else:
             return
-
+        void = fp.read()
+        fp.close()
         # In case the server sent a relative URL, join with original:
         newurl = basejoin(self.type + ":" + url, newurl)
 
@@ -648,10 +649,11 @@
         if not (newurl_lower.startswith('http://') or
                 newurl_lower.startswith('https://') or
                 newurl_lower.startswith('ftp://')):
-            return
+            raise IOError('redirect error', errcode,
+                          errmsg + " - Redirection to url '%s' is not allowed" %
+                          newurl,
+                          headers)
 
-        void = fp.read()
-        fp.close()
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):