Skip to content

gh-87389: Fix an open redirection vulnerability in http.server. #93879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gpshead merged 7 commits into from
Jun 21, 2022
Merged

gh-87389: Fix an open redirection vulnerability in http.server. #93879

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2f09fe2
gh-87389: Fix an open redirection vulnerability in http.server.
gpshead Jun 15, 2022
3b38f52
A more defensive assert within the test.
gpshead Jun 15, 2022
19a5bf6
Fix wording in some comments.
gpshead Jun 15, 2022
e16d38d
Add an explanatory comment in the test.
gpshead Jun 15, 2022
25a3a1c
Address vstinner comments on the test.
gpshead Jun 16, 2022
7c9464a
Add a test for absolute Request-URI and fixup to allow it.
gpshead Jun 16, 2022
8563d4a
Further improve test cases.
gpshead Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add an explanatory comment in the test.
  • Loading branch information
@gpshead
gpshead committed Jun 15, 2022
commit e16d38d15e64ec76510c74e7a3a8e1c1dc6eb72a
2 changes: 2 additions & 0 deletions Lib/test/test_httpservers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,8 @@ def test_get_dir_redirect_location_domain_injection_bug(self):
directory in question exists on the Referrer server.
"""
os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
# Canonicalizes to /tmp/tempdir_name/existing_directory which does
# exist and is a dir, triggering the 301 redirect and former bug.
attack_url = f'//python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
Comment thread
gpshead marked this conversation as resolved.
Outdated
response = self.request(attack_url)
self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
Expand Down