Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-87389: Fix an open redirection vulnerability in http.server. #93879

Merged
merged 7 commits into from Jun 21, 2022
Merged

gh-87389: Fix an open redirection vulnerability in http.server. #93879

merged 7 commits into from Jun 21, 2022

Commits on Jun 15, 2022

  1. pythongh-87389: Fix an open redirection vulnerability in http.server. 

    Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//`.  Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.

Test authored and secondary mitigation by Gregory P. Smith [Google].
    @gpshead
    gpshead committed Jun 15, 2022
    Copy the full SHA
    2f09fe2 View commit details
    Browse the repository at this point in the history

  2. A more defensive assert within the test.

    @gpshead
    gpshead committed Jun 15, 2022
    Copy the full SHA
    3b38f52 View commit details
    Browse the repository at this point in the history

  3. Fix wording in some comments.

    @gpshead
    gpshead committed Jun 15, 2022
    Copy the full SHA
    19a5bf6 View commit details
    Browse the repository at this point in the history

  4. Add an explanatory comment in the test.

    @gpshead
    gpshead committed Jun 15, 2022
    Copy the full SHA
    e16d38d View commit details
    Browse the repository at this point in the history

Commits on Jun 16, 2022

  1. Address vstinner comments on the test. 

    make the base urls, attack urls, and expected_location more clear in the
test.  Adds an additional test for a triple-slash path to ensure we're
not only treating double slashes as special.
    @gpshead
    gpshead committed Jun 16, 2022
    Copy the full SHA
    25a3a1c View commit details
    Browse the repository at this point in the history

  2. Add a test for absolute Request-URI and fixup to allow it. 

    Remove the send_head scheme & netloc neutering that I had added.
Unnecessary in the primary issue's case and actually causes a problem
in this other potential case.  It's unclear how often any clients
ever send an absolute-URI to a http server instead of a relative-URI
but as it works today we shouldn't break that.
    @gpshead
    gpshead committed Jun 16, 2022
    Copy the full SHA
    7c9464a View commit details
    Browse the repository at this point in the history

  3. Further improve test cases. 

    Adds a test for the non-attack as a starting all-ok check.
Makes the absolute scheme://netloc request-uri case more lenient
as all we care about there is that the scheme://netloc makes it
into the Location: header in that scenario.
    @gpshead
    gpshead committed Jun 16, 2022
    Copy the full SHA
    8563d4a View commit details
    Browse the repository at this point in the history