Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.4:Update
python-notebook
CVE-2020-26215.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-26215.patch of Package python-notebook
From 1abd95130c3345accf002805fa7c12c7fcca5286 Mon Sep 17 00:00:00 2001 From: Min RK <benjaminrk@gmail.com> Date: Thu, 15 Oct 2020 09:39:44 +0200 Subject: [PATCH] Validate redirect target in TrailingSlashHandler Fixes open redirect vulnerability GHSA-c7vm-f5p4-8fqh --- notebook/base/handlers.py | 14 ++++++++++---- notebook/tests/test_paths.py | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) Index: notebook-5.7.8/notebook/base/handlers.py =================================================================== --- notebook-5.7.8.orig/notebook/base/handlers.py +++ notebook-5.7.8/notebook/base/handlers.py @@ -857,13 +857,18 @@ class APIVersionHandler(APIHandler): class TrailingSlashHandler(web.RequestHandler): """Simple redirect handler that strips trailing slashes - + This should be the first, highest priority handler. """ - + def get(self): - self.redirect(self.request.uri.rstrip('/')) - + path, sep, rest = self.request.uri.partition("?") + # trim trailing *and* leading / + # to avoid misinterpreting repeated '//' + path = "/" + path.strip("/") + new_uri = "".join([path, sep, rest]) + self.redirect(new_uri) + post = put = get @@ -914,6 +919,7 @@ class RedirectWithParams(web.RequestHand url = sep.join([self._url, self.request.query]) self.redirect(url, permanent=self._permanent) + class PrometheusMetricsHandler(IPythonHandler): """ Return prometheus metrics for this notebook server Index: notebook-5.7.8/notebook/tests/test_paths.py =================================================================== --- notebook-5.7.8.orig/notebook/tests/test_paths.py +++ notebook-5.7.8/notebook/tests/test_paths.py @@ -3,6 +3,8 @@ import re import nose.tools as nt from notebook.base.handlers import path_regex +from notebook.utils import url_path_join +from .launchnotebook import NotebookTestBase try: # py3 assert_regex = nt.assert_regex @@ -38,3 +40,18 @@ def test_path_regex_bad(): '/y/x/foo', ): assert_not_regex(path, path_pat) + + +class RedirectTestCase(NotebookTestBase): + def test_trailing_slash(self): + for uri, expected in ( + ("/notebooks/mynotebook/", "/notebooks/mynotebook"), + ("////foo///", "/foo"), + ("//example.com/", "/example.com"), + ("/has/param/?hasparam=true", "/has/param?hasparam=true"), + ): + r = self.request("GET", uri, allow_redirects=False) + print(uri, expected) + assert r.status_code == 302 + assert "Location" in r.headers + assert r.headers["Location"] == url_path_join(self.url_prefix, expected)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor