Add FTP to the allowed url schemes. Add Misc/NEWS.

2bc23b84 · guido@google.com · 60a4a90c · 2bc23b84 · 2bc23b84 · 2bc23b84
Commit 2bc23b84 authored Mar 24, 2011 by guido@google.com
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

Lib/urllib.py Lib/urllib.py +3 -2

Lib/urllib2.py Lib/urllib2.py +3 -2

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -643,10 +643,11 @@ class FancyURLopener(URLopener):
        newurl = basejoin(self.type + ":" + url, newurl)

        # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
        newurl_lower = newurl.lower()
        if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
            return

        void = fp.read()

--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -556,10 +556,11 @@ class HTTPRedirectHandler(BaseHandler):
        newurl = urlparse.urljoin(req.get_full_url(), newurl)

        # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
        newurl_lower = newurl.lower()
        if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
            return

        # XXX Probably want to forget about the state of the current

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,9 @@ What's New in Python 2.5.6c1?
 Library
 -------

+- Issue #11662: Make urllib and urllib2 ignore redirections if the
+  scheme is not HTTP, HTTPS or FTP.  This fixes a security hole.
+
 - Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
  overflow checks in the audioop module (CVE-2010-1634).