Skip to content

Commit 60a4a90

Browse files
author
guido@google.com
committed
Issue 22663: fix redirect vulnerability in urllib/urllib2.
1 parent ce5d0e2 commit 60a4a90

File tree

2 files changed

+18
-2
lines changed

2 files changed

+18
-2
lines changed

Lib/urllib.py

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -638,10 +638,19 @@ def redirect_internal(self, url, fp, errcode, errmsg, headers, data):
638638
newurl = headers['uri']
639639
else:
640640
return
641-
void = fp.read()
642-
fp.close()
641+
643642
# In case the server sent a relative URL, join with original:
644643
newurl = basejoin(self.type + ":" + url, newurl)
644+
645+
# For security reasons we do not allow redirects to protocols
646+
# other than HTTP or HTTPS.
647+
newurl_lower = newurl.lower()
648+
if not (newurl_lower.startswith('http://') or
649+
newurl_lower.startswith('https://')):
650+
return
651+
652+
void = fp.read()
653+
fp.close()
645654
return self.open(newurl)
646655

647656
def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):

Lib/urllib2.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -555,6 +555,13 @@ def http_error_302(self, req, fp, code, msg, headers):
555555
return
556556
newurl = urlparse.urljoin(req.get_full_url(), newurl)
557557

558+
# For security reasons we do not allow redirects to protocols
559+
# other than HTTP or HTTPS.
560+
newurl_lower = newurl.lower()
561+
if not (newurl_lower.startswith('http://') or
562+
newurl_lower.startswith('https://')):
563+
return
564+
558565
# XXX Probably want to forget about the state of the current
559566
# request, although that might interact poorly with other
560567
# handlers that also use handler-specific request attributes

0 commit comments

Comments
 (0)