$OpenBSD: patch-Lib_urllib2_py,v 1.3 2011/07/06 12:05:56 jasper Exp $

Fix for CVE-2011-1521: http://hg.python.org/cpython/rev/a778b963eae3

--- Lib/urllib2.py.orig	Sat Nov 20 12:24:08 2010
+++ Lib/urllib2.py	Wed Jul  6 14:05:40 2011
@@ -579,6 +579,17 @@ class HTTPRedirectHandler(BaseHandler):
 
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP, HTTPS or FTP.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
+            raise HTTPError(newurl, code,
+                            msg + " - Redirection to url '%s' is not allowed" %
+                            newurl,
+                            headers, fp)
+
         # XXX Probably want to forget about the state of the current
         # request, although that might interact poorly with other
         # handlers that also use handler-specific request attributes
