Add FTP to the allowed url schemes. Add Misc/NEWS.

3 files changed, 9 insertions, 4 deletions

diff --git a/Lib/urllib.py b/Lib/urllib.py
index 09ce8c57e8..b835f52f23 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -643,10 +643,11 @@ class FancyURLopener(URLopener):
         newurl = basejoin(self.type + ":" + url, newurl)
 
         # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
         newurl_lower = newurl.lower()
         if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
             return
 
         void = fp.read()
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index db7ce81845..0bb69a0130 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -556,10 +556,11 @@ class HTTPRedirectHandler(BaseHandler):
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
         # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
         newurl_lower = newurl.lower()
         if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
             return
 
         # XXX Probably want to forget about the state of the current
diff --git a/Misc/NEWS b/Misc/NEWS
index 3aea1f331b..76aea17827 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,9 @@ What's New in Python 2.5.6c1?
 Library
 -------
 
+- Issue #11662: Make urllib and urllib2 ignore redirections if the
+  scheme is not HTTP, HTTPS or FTP.  This fixes a security hole.
+
 - Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
   overflow checks in the audioop module (CVE-2010-1634).