diff mbox series

package/python-tornado: backport fix for CVE-2023-28370

Message ID 20230902223128.3580256-1-thomas.petazzoni@bootlin.com
State Accepted
Headers show
Series package/python-tornado: backport fix for CVE-2023-28370 | expand

Commit Message

Thomas Petazzoni Sept. 2, 2023, 10:31 p.m. UTC 
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...n-open-redirect-in-StaticFileHandler.patch | 42 +++++++++++++++++++
 package/python-tornado/python-tornado.mk      |  2 +
 2 files changed, 44 insertions(+)
 create mode 100644 package/python-tornado/0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch

Comments

Peter Korsgaard Sept. 3, 2023, 7:33 p.m. UTC | #1 
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed, thanks.
Peter Korsgaard Sept. 14, 2023, 9:49 a.m. UTC | #2 
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2023.02.x and 2023.05.x, thanks.
diff mbox series

Patch

diff --git a/package/python-tornado/0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch b/package/python-tornado/0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch
new file mode 100644
index 0000000000..357c6f2f12
--- /dev/null
+++ b/package/python-tornado/0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch
@@ -0,0 +1,42 @@ 
+From ac79778c91bd9a4a92111f7e06d4b12674571113 Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Sat, 13 May 2023 20:58:52 -0400
+Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
+
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+
+Upstream: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
+[Thomas: backported to fix CVE-2023-28370]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tornado/web.py b/tornado/web.py
+index cd6a81b4..05b571eb 100644
+--- a/tornado/web.py
++++ b/tornado/web.py
+@@ -2806,6 +2806,15 @@ class StaticFileHandler(RequestHandler):
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
++                if self.request.path.startswith("//"):
++                    # A redirect with two initial slashes is a "protocol-relative" URL.
++                    # This means the next path segment is treated as a hostname instead
++                    # of a part of the path, making this effectively an open redirect.
++                    # Reject paths starting with two slashes to prevent this.
++                    # This is only reachable under certain configurations.
++                    raise HTTPError(
++                        403, "cannot redirect path with two initial slashes"
++                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return None
+             absolute_path = os.path.join(absolute_path, self.default_filename)
+-- 
+2.41.0
+
diff --git a/package/python-tornado/python-tornado.mk b/package/python-tornado/python-tornado.mk
index 2af86ecb18..f4a4c97d2a 100644
--- a/package/python-tornado/python-tornado.mk
+++ b/package/python-tornado/python-tornado.mk
@@ -12,5 +12,7 @@  PYTHON_TORNADO_LICENSE_FILES = LICENSE
 PYTHON_TORNADO_CPE_ID_VENDOR = tornadoweb
 PYTHON_TORNADO_CPE_ID_PRODUCT = tornado
 PYTHON_TORNADO_SETUP_TYPE = setuptools
+# 0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch
+PYTHON_TORNADO_IGNORE_CVES += CVE-2023-28370
 
 $(eval $(python-package))