Merge pull request #3266 from bdarnell/fix-open-redirect

web: Fix an open redirect in StaticFileHandler

Merge pull request #3266 from bdarnell/fix-open-redirect
web: Fix an open redirect in StaticFileHandler
89aacf12 · Ben Darnell · GitHub · aca0a2f2 · 8f35b31a · 89aacf12
隐藏空白更改
内联并排

Showing with 9 addition and 0 deletion

tornado/web.py tornado/web.py +9 -0

未找到文件。
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2879,6 +2879,15 @@ class StaticFileHandler(RequestHandler):
            # but there is some prefix to the path that was already
            # trimmed by the routing
            if not self.request.path.endswith("/"):
+                if self.request.path.startswith("//"):
+                    # A redirect with two initial slashes is a "protocol-relative" URL.
+                    # This means the next path segment is treated as a hostname instead
+                    # of a part of the path, making this effectively an open redirect.
+                    # Reject paths starting with two slashes to prevent this.
+                    # This is only reachable under certain configurations.
+                    raise HTTPError(
+                        403, "cannot redirect path with two initial slashes"
+                    )
                self.redirect(self.request.path + "/", permanent=True)
                return None
            absolute_path = os.path.join(absolute_path, self.default_filename)