diff options
author | Guido van Rossum <guido@python.org> | 2011-03-29 19:51:16 (GMT) |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2011-03-29 19:51:16 (GMT) |
commit | 079381d236f6e62db3a48cbffb14978124d94d14 (patch) | |
tree | dd7b0977a1c139ae8be36560b151215944b1f3e2 | |
parent | af1fee06c96fe24729240498c00ea5fc3d9c5b22 (diff) | |
parent | 92ecb8737b9c708268c6451a01835192c181b721 (diff) | |
download | cpython-079381d236f6e62db3a48cbffb14978124d94d14.zip cpython-079381d236f6e62db3a48cbffb14978124d94d14.tar.gz cpython-079381d236f6e62db3a48cbffb14978124d94d14.tar.bz2 |
Merge issue 11662 from 2.5.
-rw-r--r-- | Lib/test/test_urllib.py | 14 | ||||
-rw-r--r-- | Lib/test/test_urllib2.py | 21 | ||||
-rw-r--r-- | Lib/urllib.py | 12 | ||||
-rw-r--r-- | Lib/urllib2.py | 11 | ||||
-rw-r--r-- | Misc/NEWS | 15 |
5 files changed, 60 insertions, 13 deletions
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index 402309c..84b6f25 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -162,6 +162,20 @@ Content-Type: text/html; charset=iso-8859-1 finally: self.unfakehttp() + def test_invalid_redirect(self): + # urlopen() should raise IOError for many error codes. + self.fakehttp("""HTTP/1.1 302 Found +Date: Wed, 02 Jan 2008 03:03:54 GMT +Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e +Location: file:README +Connection: close +Content-Type: text/html; charset=iso-8859-1 +""") + try: + self.assertRaises(IOError, urllib.urlopen, "http://python.org/") + finally: + self.unfakehttp() + def test_empty_socket(self): # urlopen() raises IOError if the underlying socket does not send any # data. (#1680230) diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py index 65ad8e3..8250aab 100644 --- a/Lib/test/test_urllib2.py +++ b/Lib/test/test_urllib2.py @@ -942,6 +942,27 @@ class HandlerTests(unittest.TestCase): self.assertEqual(count, urllib2.HTTPRedirectHandler.max_redirections) + def test_invalid_redirect(self): + from_url = "http://example.com/a.html" + valid_schemes = ['http', 'https', 'ftp'] + invalid_schemes = ['file', 'imap', 'ldap'] + schemeless_url = "example.com/b.html" + h = urllib2.HTTPRedirectHandler() + o = h.parent = MockOpener() + req = Request(from_url) + + for scheme in invalid_schemes: + invalid_url = scheme + '://' + schemeless_url + self.assertRaises(urllib2.HTTPError, h.http_error_302, + req, MockFile(), 302, "Security Loophole", + MockHeaders({"location": invalid_url})) + + for scheme in valid_schemes: + valid_url = scheme + '://' + schemeless_url + h.http_error_302(req, MockFile(), 302, "That's fine", + MockHeaders({"location": valid_url})) + self.assertEqual(o.req.get_full_url(), valid_url) + def test_cookie_redirect(self): # cookies shouldn't leak into redirected requests from cookielib import CookieJar diff --git a/Lib/urllib.py b/Lib/urllib.py index b94f550..3f5b592 100644 --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -652,6 +652,18 @@ class FancyURLopener(URLopener): fp.close() # In case the server sent a relative URL, join with original: newurl = basejoin(self.type + ":" + url, newurl) + + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + raise IOError('redirect error', errcode, + errmsg + " - Redirection to url '%s' is not allowed" % + newurl, + headers) + return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/Lib/urllib2.py b/Lib/urllib2.py index ca74c9f..2c1c0c5 100644 --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -578,6 +578,17 @@ class HTTPRedirectHandler(BaseHandler): newurl = urlparse.urljoin(req.get_full_url(), newurl) + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + raise HTTPError(newurl, code, + msg + " - Redirection to url '%s' is not allowed" % + newurl, + headers, fp) + # XXX Probably want to forget about the state of the current # request, although that might interact poorly with other # handlers that also use handler-specific request attributes @@ -19,19 +19,8 @@ Core and Builtins Library ------- -- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing - error handling when accepting a new connection. - -What's New in Python 2.6.6? -=========================== - -*Release date: 2010-08-24* - -Core and Builtins ------------------ - -Library -------- +- Issue #11662: Make urllib and urllib2 ignore redirections if the + scheme is not HTTP, HTTPS or FTP (CVE-2011-1521). What's New in Python 2.6.6 rc 2? |