New submission from Andres Riancho <andresrian...@users.sourceforge.net>:
Buggy code:
"""
if 'location' in headers:
newurl = headers.getheaders('location')[0]
elif 'uri' in headers:
newurl = headers.getheaders('uri')[0]
else:
return
newurl = urlparse.urljoin(req.get_full_url(), newurl)
"""
You might end up being redirected to some "strange" location if for some reason
the value of "location" is C:\boot.ini, and you urlparse.urljoin the current
URL with that one, you end up with C:\boot.ini . When the urllib2 library opens
that, it will open a local file. What I did to fix it, is to verify that the
protocol of the newurl is http or https.
"""
correct_protocol = newurl.startswith('http://') or
newurl.startswith('https://')
if not correct_protocol:
return
"""
The fix should be applied just below the dangerous urlparse.urljoin.
----------
components: Library (Lib)
messages: 99292
nosy: andresriancho
severity: normal
status: open
title: urllib2.HTTPRedirectHandler incorrect redirect
versions: Python 2.5, Python 2.6
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue7920>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
