diff options
author | guido <guido@google.com> | 2011-03-24 10:44:17 -0700 |
---|---|---|
committer | guido <guido@google.com> | 2011-03-24 10:44:17 -0700 |
commit | 83e4a1dfdc0306e4445adf6f8d8ea970cb94dbb6 (patch) | |
tree | 0affd00a331fae7786f6a40fc60905fd9aa672ac | |
parent | 96ec281e156207a76b9266d409e8578fc59865ed (diff) | |
download | cpython-83e4a1dfdc0306e4445adf6f8d8ea970cb94dbb6.tar.gz |
Add FTP to the allowed url schemes. Add Misc/NEWS.
-rw-r--r-- | Lib/urllib.py | 5 | ||||
-rw-r--r-- | Lib/urllib2.py | 5 | ||||
-rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 9 insertions, 4 deletions
diff --git a/Lib/urllib.py b/Lib/urllib.py index 09ce8c57e8..b835f52f23 100644 --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -643,10 +643,11 @@ class FancyURLopener(URLopener): newurl = basejoin(self.type + ":" + url, newurl) # For security reasons we do not allow redirects to protocols - # other than HTTP or HTTPS. + # other than HTTP, HTTPS or FTP. newurl_lower = newurl.lower() if not (newurl_lower.startswith('http://') or - newurl_lower.startswith('https://')): + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): return void = fp.read() diff --git a/Lib/urllib2.py b/Lib/urllib2.py index db7ce81845..0bb69a0130 100644 --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -556,10 +556,11 @@ class HTTPRedirectHandler(BaseHandler): newurl = urlparse.urljoin(req.get_full_url(), newurl) # For security reasons we do not allow redirects to protocols - # other than HTTP or HTTPS. + # other than HTTP, HTTPS or FTP. newurl_lower = newurl.lower() if not (newurl_lower.startswith('http://') or - newurl_lower.startswith('https://')): + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): return # XXX Probably want to forget about the state of the current @@ -12,6 +12,9 @@ What's New in Python 2.5.6c1? Library ------- +- Issue #11662: Make urllib and urllib2 ignore redirections if the + scheme is not HTTP, HTTPS or FTP. This fixes a security hole. + - Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing overflow checks in the audioop module (CVE-2010-1634). |