Skip to content

Commit 2bc23b8

Browse files
author
guido@google.com
committed
Add FTP to the allowed url schemes. Add Misc/NEWS.
1 parent 60a4a90 commit 2bc23b8

File tree

3 files changed

+9
-4
lines changed

3 files changed

+9
-4
lines changed

Lib/urllib.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -643,10 +643,11 @@ def redirect_internal(self, url, fp, errcode, errmsg, headers, data):
643643
newurl = basejoin(self.type + ":" + url, newurl)
644644

645645
# For security reasons we do not allow redirects to protocols
646-
# other than HTTP or HTTPS.
646+
# other than HTTP, HTTPS or FTP.
647647
newurl_lower = newurl.lower()
648648
if not (newurl_lower.startswith('http://') or
649-
newurl_lower.startswith('https://')):
649+
newurl_lower.startswith('https://') or
650+
newurl_lower.startswith('ftp://')):
650651
return
651652

652653
void = fp.read()

Lib/urllib2.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -556,10 +556,11 @@ def http_error_302(self, req, fp, code, msg, headers):
556556
newurl = urlparse.urljoin(req.get_full_url(), newurl)
557557

558558
# For security reasons we do not allow redirects to protocols
559-
# other than HTTP or HTTPS.
559+
# other than HTTP, HTTPS or FTP.
560560
newurl_lower = newurl.lower()
561561
if not (newurl_lower.startswith('http://') or
562-
newurl_lower.startswith('https://')):
562+
newurl_lower.startswith('https://') or
563+
newurl_lower.startswith('ftp://')):
563564
return
564565

565566
# XXX Probably want to forget about the state of the current

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ What's New in Python 2.5.6c1?
1212
Library
1313
-------
1414

15+
- Issue #11662: Make urllib and urllib2 ignore redirections if the
16+
scheme is not HTTP, HTTPS or FTP. This fixes a security hole.
17+
1518
- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
1619
overflow checks in the audioop module (CVE-2010-1634).
1720

0 commit comments

Comments
 (0)