1From ac79778c91bd9a4a92111f7e06d4b12674571113 Mon Sep 17 00:00:00 2001 2From: Ben Darnell <ben@bendarnell.com> 3Date: Sat, 13 May 2023 20:58:52 -0400 4Subject: [PATCH] web: Fix an open redirect in StaticFileHandler 5 6Under some configurations the default_filename redirect could be exploited 7to redirect to an attacker-controlled site. This change refuses to redirect 8to URLs that could be misinterpreted. 9 10A test case for the specific vulnerable configuration will follow after the 11patch has been available. 12 13Upstream: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f 14[Thomas: backported to fix CVE-2023-28370] 15Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 16--- 17 tornado/web.py | 9 +++++++++ 18 1 file changed, 9 insertions(+) 19 20diff --git a/tornado/web.py b/tornado/web.py 21index cd6a81b4..05b571eb 100644 22--- a/tornado/web.py 23+++ b/tornado/web.py 24@@ -2806,6 +2806,15 @@ class StaticFileHandler(RequestHandler): 25 # but there is some prefix to the path that was already 26 # trimmed by the routing 27 if not self.request.path.endswith("/"): 28+ if self.request.path.startswith("//"): 29+ # A redirect with two initial slashes is a "protocol-relative" URL. 30+ # This means the next path segment is treated as a hostname instead 31+ # of a part of the path, making this effectively an open redirect. 32+ # Reject paths starting with two slashes to prevent this. 33+ # This is only reachable under certain configurations. 34+ raise HTTPError( 35+ 403, "cannot redirect path with two initial slashes" 36+ ) 37 self.redirect(self.request.path + "/", permanent=True) 38 return None 39 absolute_path = os.path.join(absolute_path, self.default_filename) 40-- 412.41.0 42 43