Fix CVE-2024-42353
This commit is contained in:
starlet-dx
parent
480563b390
commit
f791ef2143
48
backport-CVE-2024-42353.patch
Normal file
48
backport-CVE-2024-42353.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
|
||||
From: Delta Regeer <xistence@0x58.com>
|
||||
Date: Wed, 7 Aug 2024 11:15:35 -0600
|
||||
Subject: [PATCH] Add fix for open redirect
|
||||
|
||||
---
|
||||
src/webob/response.py | 5 +++++
|
||||
tests/test_response.py | 11 +++++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/webob/response.py b/src/webob/response.py
|
||||
index 2aad591c..efc38ecf 100644
|
||||
--- a/src/webob/response.py
|
||||
+++ b/src/webob/response.py
|
||||
@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
|
||||
if SCHEME_RE.search(value):
|
||||
return value
|
||||
|
||||
+ # This is to fix an open redirect issue due to the way that
|
||||
+ # urlparse.urljoin works. See CVE-2024-42353 and
|
||||
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
|
||||
+ if value.startswith("//"):
|
||||
+ value = "/%2f{}".format(value[2:])
|
||||
new_location = urlparse.urljoin(_request_uri(environ), value)
|
||||
return new_location
|
||||
|
||||
diff --git a/tests/test_response.py b/tests/test_response.py
|
||||
index 9d9f9d37..8a6ac06d 100644
|
||||
--- a/tests/test_response.py
|
||||
+++ b/tests/test_response.py
|
||||
@@ -1031,6 +1031,17 @@ def test_location():
|
||||
assert req.get_response(res).location == 'http://localhost/test2.html'
|
||||
|
||||
|
||||
+def test_location_no_open_redirect():
|
||||
+ # This is a test for a fix for CVE-2024-42353 and
|
||||
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
|
||||
+ res = Response()
|
||||
+ res.status = "301"
|
||||
+ res.location = "//www.example.com/test"
|
||||
+ assert res.location == "//www.example.com/test"
|
||||
+ req = Request.blank("/")
|
||||
+ assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
|
||||
+
|
||||
+
|
||||
@pytest.mark.xfail(sys.version_info < (3,0),
|
||||
reason="Python 2.x unicode != str, WSGI requires str. Test "
|
||||
"added due to https://github.com/Pylons/webob/issues/247. "
|
||||
@ -1,11 +1,13 @@
|
||||
Name: python-webob
|
||||
Version: 1.8.7
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: WSGI request and response object
|
||||
License: MIT
|
||||
URL: http://pythonpaste.org/webob/
|
||||
Source0: https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz
|
||||
Patch0001: Adapt_py310.patch
|
||||
# https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
|
||||
Patch3000: backport-CVE-2024-42353.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: python3-devel, python3-pytest
|
||||
@ -51,6 +53,9 @@ py.test-3 tests
|
||||
%{python3_sitelib}/*
|
||||
|
||||
%changelog
|
||||
* Thu Aug 15 2024 yaoxin <yao_xin001@hoperun.com> - 1.8.7-3
|
||||
- Fix CVE-2024-42353
|
||||
|
||||
* Wed Mar 02 2022 zhaoshuang <zhaoshuang@uniontech.com> - 1.8.7-2
|
||||
- remove some unnecessary buildrequirements
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user