Issue 22663: fix redirect vulnerability in urllib/urllib2.

diff --git a/Lib/urllib.py b/Lib/urllib.py
index 963187cfb27dc58887e0f3b7355c4cc4e6a995e8..09ce8c57e84215d7cd23fe28acde98de27a1e62c 100644 (file)
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -638,10 +638,19 @@ class FancyURLopener(URLopener):
             newurl = headers['uri']
         else:
             return
-        void = fp.read()
-        fp.close()
+
         # In case the server sent a relative URL, join with original:
         newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
+        void = fp.read()
+        fp.close()
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):

diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 50d7aaf204d45ec15c476531626f07cf3db6901c..db7ce81845a50a12823916eb3aa24fafc9e4e599 100644 (file)
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -555,6 +555,13 @@ class HTTPRedirectHandler(BaseHandler):
             return
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP or HTTPS.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://')):
+            return
+
         # XXX Probably want to forget about the state of the current
         # request, although that might interact poorly with other
         # handlers that also use handler-specific request attributes