mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

python3-tornado: patch CVE-2023-28370

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370

The NVD advisory mentions that the vulnerability was fixed
in v6.3.2. I checked the commits in that tag, and picked the
only one that's commit message described the same vulnerability
as the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
2026-01-08 08:46:15 +01:00
parent 61ca38f45d
commit 0e149e4591
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch
+39
View File
@@ -0,0 +1,39 @@
From c5674de64189ac407e6ace51bed08899f267ae44 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Sat, 13 May 2023 20:58:52 -0400
Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.
A test case for the specific vulnerable configuration will follow after the
patch has been available.
CVE: CVE-2023-28370
Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
tornado/web.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tornado/web.py b/tornado/web.py
index 546e6ec..8410880 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler):
# but there is some prefix to the path that was already
# trimmed by the routing
if not self.request.path.endswith("/"):
+ if self.request.path.startswith("//"):
+ # A redirect with two initial slashes is a "protocol-relative" URL.
+ # This means the next path segment is treated as a hostname instead
+ # of a part of the path, making this effectively an open redirect.
+ # Reject paths starting with two slashes to prevent this.
+ # This is only reachable under certain configurations.
+ raise HTTPError(
+ 403, "cannot redirect path with two initial slashes"
+ )
self.redirect(self.request.path + "/", permanent=True)
return None
absolute_path = os.path.join(absolute_path, self.default_filename)
meta-python/recipes-devtools/python/python3-tornado_6.1.bb
+1
View File
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.tornadoweb.org/en/stable/"
LICENSE = "Apache-2.0" LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRC_URI += "file://CVE-2023-28370.patch"
SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321" SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321"
SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791" SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791"