Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
python-tornado
tornado-Fix-an-open-redirect-in-StaticFileHandl...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tornado-Fix-an-open-redirect-in-StaticFileHandler.patch of Package python-tornado
diff -Nura tornado-4.2.1/tornado/web.py tornado-4.2.1_new/tornado/web.py --- tornado-4.2.1/tornado/web.py 2023-05-31 16:40:25.837273064 +0800 +++ tornado-4.2.1_new/tornado/web.py 2023-05-31 16:42:45.524398962 +0800 /* * Author: Ben Darnell <ben@bendarnell.com> * Date: Sat May 13 20:58:52 2023 -0400 * * web: Fix an open redirect in StaticFileHandler * * Under some configurations the default_filename redirect could be exploited * to redirect to an attacker-controlled site. This change refuses to redirect * to URLs that could be misinterpreted. * * A test case for the specific vulnerable configuration will follow after the * patch has been available. */ @@ -2391,6 +2391,15 @@ # but there is some prefix to the path that was already # trimmed by the routing if not self.request.path.endswith("/"): + if self.request.path.startswith("//"): + # A redirect with two initial slashes is a "protocol-relative" URL. + # This means the next path segment is treated as a hostname instead + # of a part of the path, making this effectively an open redirect. + # Reject paths starting with two slashes to prevent this. + # This is only reachable under certain configurations. + raise HTTPError( + 403, "cannot redirect path with two initial slashes" + ) self.redirect(self.request.path + "/", permanent=True) return absolute_path = os.path.join(absolute_path, self.default_filename)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor