Open Redirect Issue affecting Read the Docs versions before 3.5.1
Read the Docs 3.5.1 fixes an issue where that affected projects with "prefix" or "sphinx" user-defined redirects. The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain on Read the Docs (either
*.readthedocs.io or a custom docs domain) but instead went to a different domain.
This issue was reported by Peter Thomassen and the desec.io DNS security project and was funded by SSE.
The problem has been fixed and deployed on readthedocs.org. For users who depend on the Read the Docs code line for a private instance of Read the Docs, you are encouraged to update to 3.5.1 as soon as possible.
For more information
If you have any questions or comments about this advisory:
- peterthomassen Peter Thomassen