Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
镜像
tornadoweb
Tornado
提交
e3aa6c5e
Tornado
项目概览
镜像
/
tornadoweb
/
Tornado
10 个月 前同步成功
通知
26
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
Tornado
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
未验证
提交
e3aa6c5e
编写于
5月 13, 2023
作者:
B
Ben Darnell
提交者:
GitHub
5月 13, 2023
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #3267 from bdarnell/branch6.3
Version 6.3.2
上级
e0fa53ee
34f5c1cf
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
23 addition
and
2 deletion
+23
-2
docs/releases.rst
docs/releases.rst
+1
-0
docs/releases/v6.3.2.rst
docs/releases/v6.3.2.rst
+11
-0
tornado/__init__.py
tornado/__init__.py
+2
-2
tornado/web.py
tornado/web.py
+9
-0
未找到文件。
docs/releases.rst
浏览文件 @
e3aa6c5e
...
...
@@ -4,6 +4,7 @@ Release notes
.. toctree::
:maxdepth: 2
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
...
...
docs/releases/v6.3.2.rst
0 → 100644
浏览文件 @
e3aa6c5e
What's new in Tornado 6.3.2
===========================
May 13, 2023
------------
Security improvements
~~~~~~~~~~~~~~~~~~~~~
- Fixed an open redirect vulnerability in StaticFileHandler under certain
configurations.
\ No newline at end of file
tornado/__init__.py
浏览文件 @
e3aa6c5e
...
...
@@ -22,8 +22,8 @@
# is zero for an official release, positive for a development branch,
# or negative for a release candidate or beta (after the base version
# number has been incremented)
version
=
"6.3.
1
"
version_info
=
(
6
,
3
,
1
,
0
)
version
=
"6.3.
2
"
version_info
=
(
6
,
3
,
2
,
0
)
import
importlib
import
typing
...
...
tornado/web.py
浏览文件 @
e3aa6c5e
...
...
@@ -2879,6 +2879,15 @@ class StaticFileHandler(RequestHandler):
# but there is some prefix to the path that was already
# trimmed by the routing
if
not
self
.
request
.
path
.
endswith
(
"/"
):
if
self
.
request
.
path
.
startswith
(
"//"
):
# A redirect with two initial slashes is a "protocol-relative" URL.
# This means the next path segment is treated as a hostname instead
# of a part of the path, making this effectively an open redirect.
# Reject paths starting with two slashes to prevent this.
# This is only reachable under certain configurations.
raise
HTTPError
(
403
,
"cannot redirect path with two initial slashes"
)
self
.
redirect
(
self
.
request
.
path
+
"/"
,
permanent
=
True
)
return
None
absolute_path
=
os
.
path
.
join
(
absolute_path
,
self
.
default_filename
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录