From c5f1581aaefb39776673e88331abf869197356aa Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 16 Jun 2023 10:35:45 +0800
Subject: [PATCH 1/1] web: Fix an open redirect in StaticFileHandler

Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.

A test case for the specific vulnerable configuration will follow after the
patch has been available.

Origin:
https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
---
 tornado/web.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tornado/web.py b/tornado/web.py
index a1d2aa5..1a056cc 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2594,6 +2594,15 @@ class StaticFileHandler(RequestHandler):
             # but there is some prefix to the path that was already
             # trimmed by the routing
             if not self.request.path.endswith("/"):
+                if self.request.path.startswith("//"):
+                    # A redirect with two initial slashes is a "protocol-relative" URL.
+                    # This means the next path segment is treated as a hostname instead
+                    # of a part of the path, making this effectively an open redirect.
+                    # Reject paths starting with two slashes to prevent this.
+                    # This is only reachable under certain configurations.
+                    raise HTTPError(
+                        403, "cannot redirect path with two initial slashes"
+                    )
                 self.redirect(self.request.path + "/", permanent=True)
                 return
             absolute_path = os.path.join(absolute_path, self.default_filename)
-- 
2.30.0