!23 [sync] PR-19: Fix CVE-2023-28370

From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2023-06-16 06:03:16 +00:00 · 2023-06-16 06:03:16 +00:00 · 8fbd00cf1f
commit 8fbd00cf1f
parent e9aa263eaa c4cdc7dd27
2 changed files with 46 additions and 1 deletions
--- a/CVE-2023-28370.patch
+++ b/CVE-2023-28370.patch
@ -0,0 +1,41 @@
+From c5f1581aaefb39776673e88331abf869197356aa Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Fri, 16 Jun 2023 10:35:45 +0800
+Subject: [PATCH 1/1] web: Fix an open redirect in StaticFileHandler
+
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+
+Origin:
+https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tornado/web.py b/tornado/web.py
+index a1d2aa5..1a056cc 100644
+--- a/tornado/web.py
+++ b/tornado/web.py
+@@ -2594,6 +2594,15 @@ class StaticFileHandler(RequestHandler):
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
+                if self.request.path.startswith("//"):
+                    # A redirect with two initial slashes is a "protocol-relative" URL.
+                    # This means the next path segment is treated as a hostname instead
+                    # of a part of the path, making this effectively an open redirect.
+                    # Reject paths starting with two slashes to prevent this.
+                    # This is only reachable under certain configurations.
+                    raise HTTPError(
+                        403, "cannot redirect path with two initial slashes"
+                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return
+             absolute_path = os.path.join(absolute_path, self.default_filename)
+-- 
+2.30.0
+
--- a/python-tornado.spec
+++ b/python-tornado.spec
@ -1,11 +1,12 @@
 Name:             python-tornado
 Version:          5.0.2
-Release:          7
+Release:          8
 Summary:          a Python web framework and asynchronous networking library
 License:          ASL 2.0
 URL:              http://www.tornadoweb.org
 Source0:          https://files.pythonhosted.org/packages/source/t/tornado/tornado-%{version}.tar.gz
 Patch0:           fix-erroneous-deprecation-warnings.patch
+Patch1:           CVE-2023-28370.patch

 BuildRequires:    gcc python2-devel python2-singledispatch python3-devel

@ -62,6 +63,9 @@ and other applications that require a long-lived connection to each user.
 %{python3_sitearch}/*

 %changelog
+* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 5.0.2-8
+- Fix CVE-2023-28370
+
 * Mon Sep 27 2021 lingsheng <lingsheng@huawei.com> - 5.0.2-7
 - Provide python-tornado