Skip to content

gh-87389: Fix an open redirection vulnerability in http.server. #93879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gpshead merged 7 commits into from
Jun 21, 2022
+61 −2
Merged

gh-87389: Fix an open redirection vulnerability in http.server. #93879

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2f09fe2
gh-87389: Fix an open redirection vulnerability in http.server.
gpshead Jun 15, 2022
3b38f52
A more defensive assert within the test.
gpshead Jun 15, 2022
19a5bf6
Fix wording in some comments.
gpshead Jun 15, 2022
e16d38d
Add an explanatory comment in the test.
gpshead Jun 15, 2022
25a3a1c
Address vstinner comments on the test.
gpshead Jun 16, 2022
7c9464a
Add a test for absolute Request-URI and fixup to allow it.
gpshead Jun 16, 2022
8563d4a
Further improve test cases.
gpshead Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix wording in some comments.
  • Loading branch information
@gpshead
gpshead committed Jun 15, 2022
commit 19a5bf685c7a208e76720bc3826b3ebb68daaf21
10 changes: 5 additions & 5 deletions Lib/http/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,10 +329,10 @@ def parse_request(self):
return False
self.command, self.path = command, path

# gh-87389: The purpose of replacing '//' with '/' is to protect against
# open redirect attacks module which could be triggered if the path
# starts with '//' because web clients treat //path as an absolute url
# without scheme (similar to http://path) rather than a relative path.
# gh-87389: The purpose of replacing '//' with '/' is to protect
# against open redirect attacks possibly triggered if the path starts
# with '//' because http clients treat //path as an absolute URI
# without scheme (similar to http://path) rather than a path.
if self.path.startswith('//'):
self.path = '/' + self.path.lstrip('/') # Reduce to a single /

Expand Down Expand Up @@ -691,7 +691,7 @@ def send_head(self):
self.send_response(HTTPStatus.MOVED_PERMANENTLY)
# scheme[0] and netloc[1] are intentionally blanked out as we
# are only processing a path. They could allow injection into
# Location header if self.path wound up containing
# the Location header if self.path wound up containing
# more than it was supposed to. See gh-87389.
new_parts = ('', '', parts[2] + '/', parts[3], parts[4])
new_url = urllib.parse.urlunsplit(new_parts)
Expand Down