!22 [sync] PR-18: Fix CVE-2023-28370

From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2023-06-16 06:03:05 +00:00 · 2023-06-16 06:03:05 +00:00 · 635bea07ad
commit 635bea07ad
parent 4b9514f727 9ca6f4bcfd
2 changed files with 41 additions and 2 deletions
--- a/CVE-2023-28370.patch
+++ b/CVE-2023-28370.patch
@ -0,0 +1,35 @@
+From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Sat, 13 May 2023 20:58:52 -0400
+Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
+
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tornado/web.py b/tornado/web.py
+index 3b676e3c2..565140493 100644
+--- a/tornado/web.py
+++ b/tornado/web.py
+@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
+                if self.request.path.startswith("//"):
+                    # A redirect with two initial slashes is a "protocol-relative" URL.
+                    # This means the next path segment is treated as a hostname instead
+                    # of a part of the path, making this effectively an open redirect.
+                    # Reject paths starting with two slashes to prevent this.
+                    # This is only reachable under certain configurations.
+                    raise HTTPError(
+                        403, "cannot redirect path with two initial slashes"
+                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return None
+             absolute_path = os.path.join(absolute_path, self.default_filename)
--- a/python-tornado.spec
+++ b/python-tornado.spec
@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-tornado
 Version:	6.1
-Release:	1
+Release:	2
 Summary:	Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
 License:	ASL 2.0
 URL:		http://www.tornadoweb.org/
 Source0:	https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz
+Patch0:         CVE-2023-28370.patch

 %description
 Tornado is an open source version of the scalable, non-blocking web server and tools.
@ -31,7 +32,7 @@ Provides:	python3-tornado-doc
 Tornado is an open source version of the scalable, non-blocking web server and tools.

 %prep
-%autosetup -n tornado-6.1
+%autosetup -n tornado-%{version} -p1

 %build
 %py3_build
@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 6.1-2
+- Fix CVE-2023-28370
+
 * Thu Jul 08 2021 yaozc701 <yaozc7@foxmail.com> - 6.1-1
 - Upgrade version to 6.1