From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Sat, 13 May 2023 20:58:52 -0400 Subject: [PATCH 1/2] web: Fix an open redirect in StaticFileHandler Under some configurations the default_filename redirect could be exploited to redirect to an attacker-controlled site. This change refuses to redirect to URLs that could be misinterpreted. A test case for the specific vulnerable configuration will follow after the patch has been available. --- tornado/web.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tornado/web.py b/tornado/web.py index 3b676e3c25..565140493e 100644 --- a/tornado/web.py +++ b/tornado/web.py @@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str] # but there is some prefix to the path that was already # trimmed by the routing if not self.request.path.endswith("/"): + if self.request.path.startswith("//"): + # A redirect with two initial slashes is a "protocol-relative" URL. + # This means the next path segment is treated as a hostname instead + # of a part of the path, making this effectively an open redirect. + # Reject paths starting with two slashes to prevent this. + # This is only reachable under certain configurations. + raise HTTPError( + 403, "cannot redirect path with two initial slashes" + ) self.redirect(self.request.path + "/", permanent=True) return None absolute_path = os.path.join(absolute_path, self.default_filename) From 34f5c1cf2696afec5532ca9e870ba32cbc7fee27 Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Sat, 13 May 2023 21:31:48 -0400 Subject: [PATCH 2/2] Version 6.3.2 --- docs/releases.rst | 1 + docs/releases/v6.3.2.rst | 11 +++++++++++ tornado/__init__.py | 4 ++-- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 docs/releases/v6.3.2.rst diff --git a/docs/releases.rst b/docs/releases.rst index dd53b12ffe..fc7e41654f 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -4,6 +4,7 @@ Release notes .. toctree:: :maxdepth: 2 + releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 diff --git a/docs/releases/v6.3.2.rst b/docs/releases/v6.3.2.rst new file mode 100644 index 0000000000..250a6e4eb4 --- /dev/null +++ b/docs/releases/v6.3.2.rst @@ -0,0 +1,11 @@ +What's new in Tornado 6.3.2 +=========================== + +May 13, 2023 +------------ + +Security improvements +~~~~~~~~~~~~~~~~~~~~~ + +- Fixed an open redirect vulnerability in StaticFileHandler under certain + configurations. \ No newline at end of file diff --git a/tornado/__init__.py b/tornado/__init__.py index afbd715053..475c1f612e 100644 --- a/tornado/__init__.py +++ b/tornado/__init__.py @@ -22,8 +22,8 @@ # is zero for an official release, positive for a development branch, # or negative for a release candidate or beta (after the base version # number has been incremented) -version = "6.3.1" -version_info = (6, 3, 1, 0) +version = "6.3.2" +version_info = (6, 3, 2, 0) import importlib import typing