Add FTP to the allowed url schemes. Add Misc/NEWS.

Lib/urllib.py

@@ -643,10 +643,11 @@ def redirect_internal(self, url, fp, errcode, errmsg, headers, data):
         newurl = basejoin(self.type + ":" + url, newurl)
 
         # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
         newurl_lower = newurl.lower()
         if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
             return
 
         void = fp.read()

Lib/urllib2.py

@@ -556,10 +556,11 @@ def http_error_302(self, req, fp, code, msg, headers):
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
         # For security reasons we do not allow redirects to protocols
-        # other than HTTP or HTTPS.
+        # other than HTTP, HTTPS or FTP.
         newurl_lower = newurl.lower()
         if not (newurl_lower.startswith('http://') or
-                newurl_lower.startswith('https://')):
+                newurl_lower.startswith('https://') or
+                newurl_lower.startswith('ftp://')):
             return
 
         # XXX Probably want to forget about the state of the current

Misc/NEWS

@@ -12,6 +12,9 @@ What's New in Python 2.5.6c1?
 Library
 -------
 
+- Issue #11662: Make urllib and urllib2 ignore redirections if the
+  scheme is not HTTP, HTTPS or FTP.  This fixes a security hole.
+
 - Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
   overflow checks in the audioop module (CVE-2010-1634).