diff options
author | guido@google.com <guido@google.com> | 2011-03-29 18:51:26 (GMT) |
---|---|---|
committer | guido@google.com <guido@google.com> | 2011-03-29 18:51:26 (GMT) |
commit | c768ff5d4f69f94455db82646e004fac4d11876e (patch) | |
tree | 77144fa55f5cc370a26d6db11766e0bffd35b3be | |
parent | c7d28be62f56a9089b1a96b2d46a7041822c5885 (diff) | |
parent | a119df91f33724f64e6bc1ecb484eeaa30ace014 (diff) | |
download | cpython-c768ff5d4f69f94455db82646e004fac4d11876e.zip cpython-c768ff5d4f69f94455db82646e004fac4d11876e.tar.gz cpython-c768ff5d4f69f94455db82646e004fac4d11876e.tar.bz2 |
Merge Issue 11662 from 3.1 branch.
-rw-r--r-- | Doc/library/urllib.request.rst | 4 | ||||
-rw-r--r-- | Lib/test/test_urllib.py | 16 | ||||
-rw-r--r-- | Lib/test/test_urllib2.py | 24 | ||||
-rw-r--r-- | Lib/urllib/request.py | 27 | ||||
-rw-r--r-- | Misc/NEWS | 3 | ||||
-rw-r--r-- | Objects/typeslots.inc | 2 |
6 files changed, 75 insertions, 1 deletions
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst index 044339b..9a905c6 100644 --- a/Doc/library/urllib.request.rst +++ b/Doc/library/urllib.request.rst @@ -650,6 +650,10 @@ HTTPRedirectHandler Objects is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the precise meanings of the various redirection codes. + An :class:`HTTPError` exception raised as a security consideration if the + HTTPRedirectHandler is presented with a redirected url which is not an HTTP, + HTTPS or FTP url. + .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl) diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index e39fa8d..11e5dad 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -2,6 +2,7 @@ import urllib.parse import urllib.request +import urllib.error import http.client import email.message import io @@ -206,6 +207,21 @@ Content-Type: text/html; charset=iso-8859-1 finally: self.unfakehttp() + def test_invalid_redirect(self): + # urlopen() should raise IOError for many error codes. + self.fakehttp(b'''HTTP/1.1 302 Found +Date: Wed, 02 Jan 2008 03:03:54 GMT +Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e +Location: file://guidocomputer.athome.com:/python/license +Connection: close +Content-Type: text/html; charset=iso-8859-1 +''') + try: + self.assertRaises(urllib.error.HTTPError, urlopen, + "http://python.org/") + finally: + self.unfakehttp() + def test_empty_socket(self): # urlopen() raises IOError if the underlying socket does not send any # data. (#1680230) diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py index 69bcfa2..39447a8 100644 --- a/Lib/test/test_urllib2.py +++ b/Lib/test/test_urllib2.py @@ -10,6 +10,7 @@ import urllib.request # The proxy bypass method imported below has logic specific to the OSX # proxy config data structure but is testable on all platforms. from urllib.request import Request, OpenerDirector, _proxy_bypass_macosx_sysconf +import urllib.error # XXX # Request @@ -1031,6 +1032,29 @@ class HandlerTests(unittest.TestCase): self.assertEqual(count, urllib.request.HTTPRedirectHandler.max_redirections) + + def test_invalid_redirect(self): + from_url = "http://example.com/a.html" + valid_schemes = ['http','https','ftp'] + invalid_schemes = ['file','imap','ldap'] + schemeless_url = "example.com/b.html" + h = urllib.request.HTTPRedirectHandler() + o = h.parent = MockOpener() + req = Request(from_url) + req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT + + for scheme in invalid_schemes: + invalid_url = scheme + '://' + schemeless_url + self.assertRaises(urllib.error.HTTPError, h.http_error_302, + req, MockFile(), 302, "Security Loophole", + MockHeaders({"location": invalid_url})) + + for scheme in valid_schemes: + valid_url = scheme + '://' + schemeless_url + h.http_error_302(req, MockFile(), 302, "That's fine", + MockHeaders({"location": valid_url})) + self.assertEqual(o.req.get_full_url(), valid_url) + def test_cookie_redirect(self): # cookies shouldn't leak into redirected requests from http.cookiejar import CookieJar diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index 53e8107..ebbebe9 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -545,6 +545,17 @@ class HTTPRedirectHandler(BaseHandler): # fix a possible malformed URL urlparts = urlparse(newurl) + + # For security reasons we don't allow redirection to anything other + # than http, https or ftp. + + if not urlparts.scheme in ('http', 'https', 'ftp'): + raise HTTPError(newurl, code, + msg + + " - Redirection to url '%s' is not allowed" % + newurl, + headers, fp) + if not urlparts.path: urlparts = list(urlparts) urlparts[2] = "/" @@ -1903,8 +1914,24 @@ class FancyURLopener(URLopener): return void = fp.read() fp.close() + # In case the server sent a relative URL, join with original: newurl = urljoin(self.type + ":" + url, newurl) + + urlparts = urlparse(newurl) + + # For security reasons, we don't allow redirection to anything other + # than http, https and ftp. + + # We are using newer HTTPError with older redirect_internal method + # This older method will get deprecated in 3.3 + + if not urlparts.scheme in ('http', 'https', 'ftp'): + raise HTTPError(newurl, errcode, + errmsg + + " Redirection to url '%s' is not allowed." % newurl, + headers, fp) + return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): @@ -49,6 +49,9 @@ Core and Builtins Library ------- +- Issue #11662: Make urllib and urllib2 ignore redirections if the + scheme is not HTTP, HTTPS or FTP (CVE-2011-1521). + - Issue #11628: cmp_to_key generated class should use __slots__ - Issue #5537: Fix time2isoz() and time2netscape() functions of diff --git a/Objects/typeslots.inc b/Objects/typeslots.inc index 0494a32..5186dcf 100644 --- a/Objects/typeslots.inc +++ b/Objects/typeslots.inc @@ -1,4 +1,4 @@ -/* Generated by typeslots.py $Revision: 87806 $ */ +/* Generated by typeslots.py $Revision$ */ 0, 0, offsetof(PyHeapTypeObject, as_mapping.mp_ass_subscript), |