Skip to content

Commit

Permalink
Merge pull request #3267 from bdarnell/branch6.3
Browse files Browse the repository at this point in the history
Version 6.3.2
  • Loading branch information
bdarnell authored May 14, 2023
2 parents e0fa53e + 34f5c1c commit e3aa6c5
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 2 deletions.
1 change: 1 addition & 0 deletions docs/releases.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ Release notes
.. toctree::
:maxdepth: 2

releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
Expand Down
11 changes: 11 additions & 0 deletions docs/releases/v6.3.2.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
What's new in Tornado 6.3.2
===========================

May 13, 2023
------------

Security improvements
~~~~~~~~~~~~~~~~~~~~~

- Fixed an open redirect vulnerability in StaticFileHandler under certain
configurations.
4 changes: 2 additions & 2 deletions tornado/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@
# is zero for an official release, positive for a development branch,
# or negative for a release candidate or beta (after the base version
# number has been incremented)
version = "6.3.1"
version_info = (6, 3, 1, 0)
version = "6.3.2"
version_info = (6, 3, 2, 0)

import importlib
import typing
Expand Down
9 changes: 9 additions & 0 deletions tornado/web.py
Original file line number Diff line number Diff line change
Expand Up @@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
# but there is some prefix to the path that was already
# trimmed by the routing
if not self.request.path.endswith("/"):
if self.request.path.startswith("//"):
# A redirect with two initial slashes is a "protocol-relative" URL.
# This means the next path segment is treated as a hostname instead
# of a part of the path, making this effectively an open redirect.
# Reject paths starting with two slashes to prevent this.
# This is only reachable under certain configurations.
raise HTTPError(
403, "cannot redirect path with two initial slashes"
)
self.redirect(self.request.path + "/", permanent=True)
return None
absolute_path = os.path.join(absolute_path, self.default_filename)
Expand Down

0 comments on commit e3aa6c5

Please sign in to comment.