| 123456789101112131415161718192021222324252627282930313233343536373839404142 |
- From ac79778c91bd9a4a92111f7e06d4b12674571113 Mon Sep 17 00:00:00 2001
- From: Ben Darnell <ben@bendarnell.com>
- Date: Sat, 13 May 2023 20:58:52 -0400
- Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
- Under some configurations the default_filename redirect could be exploited
- to redirect to an attacker-controlled site. This change refuses to redirect
- to URLs that could be misinterpreted.
- A test case for the specific vulnerable configuration will follow after the
- patch has been available.
- Upstream: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
- [Thomas: backported to fix CVE-2023-28370]
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- tornado/web.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
- diff --git a/tornado/web.py b/tornado/web.py
- index cd6a81b4..05b571eb 100644
- --- a/tornado/web.py
- +++ b/tornado/web.py
- @@ -2806,6 +2806,15 @@ class StaticFileHandler(RequestHandler):
- # but there is some prefix to the path that was already
- # trimmed by the routing
- if not self.request.path.endswith("/"):
- + if self.request.path.startswith("//"):
- + # A redirect with two initial slashes is a "protocol-relative" URL.
- + # This means the next path segment is treated as a hostname instead
- + # of a part of the path, making this effectively an open redirect.
- + # Reject paths starting with two slashes to prevent this.
- + # This is only reachable under certain configurations.
- + raise HTTPError(
- + 403, "cannot redirect path with two initial slashes"
- + )
- self.redirect(self.request.path + "/", permanent=True)
- return None
- absolute_path = os.path.join(absolute_path, self.default_filename)
- --
- 2.41.0
|
