newurl = basejoin(self.type + ":" + url, newurl)
# For security reasons we do not allow redirects to protocols
- # other than HTTP or HTTPS.
+ # other than HTTP, HTTPS or FTP.
newurl_lower = newurl.lower()
if not (newurl_lower.startswith('http://') or
- newurl_lower.startswith('https://')):
+ newurl_lower.startswith('https://') or
+ newurl_lower.startswith('ftp://')):
return
void = fp.read()
newurl = urlparse.urljoin(req.get_full_url(), newurl)
# For security reasons we do not allow redirects to protocols
- # other than HTTP or HTTPS.
+ # other than HTTP, HTTPS or FTP.
newurl_lower = newurl.lower()
if not (newurl_lower.startswith('http://') or
- newurl_lower.startswith('https://')):
+ newurl_lower.startswith('https://') or
+ newurl_lower.startswith('ftp://')):
return
# XXX Probably want to forget about the state of the current
Library
-------
+- Issue #11662: Make urllib and urllib2 ignore redirections if the
+ scheme is not HTTP, HTTPS or FTP. This fixes a security hole.
+
- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
overflow checks in the audioop module (CVE-2010-1634).
projects / thirdparty / Python / cpython.git / commitdiff
