packages/python-tornado
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!22 [sync] PR-18: Fix CVE-2023-28370

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2023-06-16 06:03:05 +00:00 committed by Gitee
commit 635bea07ad
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2023-28370.patch Normal file
View File

@ -0,0 +1,35 @@
From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Sat, 13 May 2023 20:58:52 -0400
Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.
A test case for the specific vulnerable configuration will follow after the
patch has been available.
---
tornado/web.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tornado/web.py b/tornado/web.py
index 3b676e3c2..565140493 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
# but there is some prefix to the path that was already
# trimmed by the routing
if not self.request.path.endswith("/"):
+ if self.request.path.startswith("//"):
+ # A redirect with two initial slashes is a "protocol-relative" URL.
+ # This means the next path segment is treated as a hostname instead
+ # of a part of the path, making this effectively an open redirect.
+ # Reject paths starting with two slashes to prevent this.
+ # This is only reachable under certain configurations.
+ raise HTTPError(
+ 403, "cannot redirect path with two initial slashes"
+ )
self.redirect(self.request.path + "/", permanent=True)
return None
absolute_path = os.path.join(absolute_path, self.default_filename)

8
python-tornado.spec
View File

@ -1,11 +1,12 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-tornado Name: python-tornado
Version: 6.1 Version: 6.1
Release: 1 Release: 2
Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
License: ASL 2.0 License: ASL 2.0
URL: http://www.tornadoweb.org/ URL: http://www.tornadoweb.org/
Source0: https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz Source0: https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz
Patch0: CVE-2023-28370.patch
%description %description
Tornado is an open source version of the scalable, non-blocking web server and tools. Tornado is an open source version of the scalable, non-blocking web server and tools.
@ -31,7 +32,7 @@ Provides: python3-tornado-doc
Tornado is an open source version of the scalable, non-blocking web server and tools. Tornado is an open source version of the scalable, non-blocking web server and tools.
%prep %prep
%autosetup -n tornado-6.1 %autosetup -n tornado-%{version} -p1
%build %build
%py3_build %py3_build
@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 6.1-2
- Fix CVE-2023-28370
* Thu Jul 08 2021 yaozc701 <yaozc7@foxmail.com> - 6.1-1 * Thu Jul 08 2021 yaozc701 <yaozc7@foxmail.com> - 6.1-1
- Upgrade version to 6.1 - Upgrade version to 6.1