Projects
openEuler:Mainline
python-tornado
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 4
View file
_service:tar_scm:python-tornado.spec
Changed
@@ -1,11 +1,12 @@ %global _empty_manifest_terminate_build 0 Name: python-tornado Version: 6.1 -Release: 1 +Release: 2 Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. License: ASL 2.0 URL: http://www.tornadoweb.org/ Source0: https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz +Patch0: CVE-2023-28370.patch %description Tornado is an open source version of the scalable, non-blocking web server and tools. @@ -31,7 +32,7 @@ Tornado is an open source version of the scalable, non-blocking web server and tools. %prep -%autosetup -n tornado-6.1 +%autosetup -n tornado-%{version} -p1 %build %py3_build @@ -72,6 +73,9 @@ %{_docdir}/* %changelog +* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 6.1-2 +- Fix CVE-2023-28370 + * Thu Jul 08 2021 yaozc701 <yaozc7@foxmail.com> - 6.1-1 - Upgrade version to 6.1
View file
_service:tar_scm:CVE-2023-28370.patch
Added
@@ -0,0 +1,35 @@ +From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001 +From: Ben Darnell <ben@bendarnell.com> +Date: Sat, 13 May 2023 20:58:52 -0400 +Subject: PATCH web: Fix an open redirect in StaticFileHandler + +Under some configurations the default_filename redirect could be exploited +to redirect to an attacker-controlled site. This change refuses to redirect +to URLs that could be misinterpreted. + +A test case for the specific vulnerable configuration will follow after the +patch has been available. +--- + tornado/web.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tornado/web.py b/tornado/web.py +index 3b676e3c2..565140493 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optionalstr + # but there is some prefix to the path that was already + # trimmed by the routing + if not self.request.path.endswith("/"): ++ if self.request.path.startswith("//"): ++ # A redirect with two initial slashes is a "protocol-relative" URL. ++ # This means the next path segment is treated as a hostname instead ++ # of a part of the path, making this effectively an open redirect. ++ # Reject paths starting with two slashes to prevent this. ++ # This is only reachable under certain configurations. ++ raise HTTPError( ++ 403, "cannot redirect path with two initial slashes" ++ ) + self.redirect(self.request.path + "/", permanent=True) + return None + absolute_path = os.path.join(absolute_path, self.default_filename)
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2