Skip to content

Commit

Permalink
web: Fix an open redirect in StaticFileHandler
Browse files Browse the repository at this point in the history
Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.

A test case for the specific vulnerable configuration will follow after the
patch has been available.
  • Loading branch information
bdarnell committed May 14, 2023
1 parent e0fa53e commit 32ad07c
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions tornado/web.py
Original file line number Diff line number Diff line change
Expand Up @@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
# but there is some prefix to the path that was already
# trimmed by the routing
if not self.request.path.endswith("/"):
if self.request.path.startswith("//"):
# A redirect with two initial slashes is a "protocol-relative" URL.
# This means the next path segment is treated as a hostname instead
# of a part of the path, making this effectively an open redirect.
# Reject paths starting with two slashes to prevent this.
# This is only reachable under certain configurations.
raise HTTPError(
403, "cannot redirect path with two initial slashes"
)
self.redirect(self.request.path + "/", permanent=True)
return None
absolute_path = os.path.join(absolute_path, self.default_filename)
Expand Down

0 comments on commit 32ad07c

Please sign in to comment.