+18
-2
lines changedFilter options
+18
-2
lines changed Original file line number Diff line number Diff line change
@@ -638,10 +638,19 @@ def redirect_internal(self, url, fp, errcode, errmsg, headers, data):
638 638
newurl = headers['uri']
639 639
else:
640 640
return
641 -
void = fp.read()
642 -
fp.close()
641 + 643 642
# In case the server sent a relative URL, join with original:
644 643
newurl = basejoin(self.type + ":" + url, newurl)
644 + 645 +
# For security reasons we do not allow redirects to protocols
646 +
# other than HTTP or HTTPS.
647 +
newurl_lower = newurl.lower()
648 +
if not (newurl_lower.startswith('http://') or
649 +
newurl_lower.startswith('https://')):
650 +
return
651 + 652 +
void = fp.read()
653 +
fp.close()
645 654
return self.open(newurl)
646 655 647 656
def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
@@ -555,6 +555,13 @@ def http_error_302(self, req, fp, code, msg, headers):
555 555
return
556 556
newurl = urlparse.urljoin(req.get_full_url(), newurl)
557 557 558 +
# For security reasons we do not allow redirects to protocols
559 +
# other than HTTP or HTTPS.
560 +
newurl_lower = newurl.lower()
561 +
if not (newurl_lower.startswith('http://') or
562 +
newurl_lower.startswith('https://')):
563 +
return
564 + 558 565
# XXX Probably want to forget about the state of the current
559 566
# request, although that might interact poorly with other
560 567
# handlers that also use handler-specific request attributes
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4