import CS python-tornado-6.1.0-9.el9
This commit is contained in:
parent
25c7de0cf1
commit
e05eb32bc9
60
SOURCES/0001-Add-test-for-open-redirect-issue.patch
Normal file
60
SOURCES/0001-Add-test-for-open-redirect-issue.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
Subject: [PATCH 1/2] Add test for open redirect issue
|
||||||
|
|
||||||
|
Backported from upstream:
|
||||||
|
- https://github.com/tornadoweb/tornado/commit/b56245730e
|
||||||
|
---
|
||||||
|
tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 30 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
|
||||||
|
index 5490ba2..c641ca1 100644
|
||||||
|
--- a/tornado/test/web_test.py
|
||||||
|
+++ b/tornado/test/web_test.py
|
||||||
|
@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase):
|
||||||
|
self.assertTrue(response.headers["Location"].endswith("/static/dir/"))
|
||||||
|
|
||||||
|
|
||||||
|
+class StaticDefaultFilenameRootTest(WebTestCase):
|
||||||
|
+ def get_app_kwargs(self):
|
||||||
|
+ return dict(
|
||||||
|
+ static_path=os.path.abspath(relpath("static")),
|
||||||
|
+ static_handler_args=dict(default_filename="index.html"),
|
||||||
|
+ static_url_prefix="/",
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ def get_handlers(self):
|
||||||
|
+ return []
|
||||||
|
+
|
||||||
|
+ def get_http_client(self):
|
||||||
|
+ # simple_httpclient only: curl doesn't let you send a request starting
|
||||||
|
+ # with two slashes.
|
||||||
|
+ return SimpleAsyncHTTPClient()
|
||||||
|
+
|
||||||
|
+ def test_no_open_redirect(self):
|
||||||
|
+ # This test verifies that the open redirect that affected some configurations
|
||||||
|
+ # prior to Tornado 6.3.2 is no longer possible. The vulnerability required
|
||||||
|
+ # a static_url_prefix of "/" and a default_filename (any value) to be set.
|
||||||
|
+ # The absolute server-side path to the static directory must also be known.
|
||||||
|
+ with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"):
|
||||||
|
+ response = self.fetch(
|
||||||
|
+ f"//evil.com/../{os.path.dirname(__file__)}/static/dir",
|
||||||
|
+ follow_redirects=False,
|
||||||
|
+ )
|
||||||
|
+ self.assertEqual(response.code, 403)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class StaticFileWithPathTest(WebTestCase):
|
||||||
|
def get_app_kwargs(self):
|
||||||
|
return dict(
|
||||||
|
@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase):
|
||||||
|
body=b"",
|
||||||
|
headers=dict(
|
||||||
|
{"X-Xsrftoken": self.xsrf_token}, # type: ignore
|
||||||
|
- **self.cookie_headers()
|
||||||
|
+ **self.cookie_headers(),
|
||||||
|
),
|
||||||
|
)
|
||||||
|
self.assertEqual(response.code, 200)
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From bcae82a6dd7bfed280559c8920dd89d4a48fa021 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ben Darnell <ben@bendarnell.com>
|
||||||
|
Date: Tue, 25 Jul 2023 06:39:23 -0400
|
||||||
|
Subject: [PATCH 2/2] [PATCH] web: Fix an open redirect in StaticFileHandler
|
||||||
|
|
||||||
|
Under some configurations the default_filename redirect could be exploited
|
||||||
|
to redirect to an attacker-controlled site. This change refuses to redirect
|
||||||
|
to URLs that could be misinterpreted.
|
||||||
|
|
||||||
|
A test case for the specific vulnerable configuration will follow after the
|
||||||
|
patch has been available.
|
||||||
|
|
||||||
|
Originally from upstream:
|
||||||
|
- https://github.com/tornadoweb/tornado/commit/8f35b31ab
|
||||||
|
---
|
||||||
|
tornado/web.py | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tornado/web.py b/tornado/web.py
|
||||||
|
index 546e6ec..8410880 100644
|
||||||
|
--- a/tornado/web.py
|
||||||
|
+++ b/tornado/web.py
|
||||||
|
@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler):
|
||||||
|
# but there is some prefix to the path that was already
|
||||||
|
# trimmed by the routing
|
||||||
|
if not self.request.path.endswith("/"):
|
||||||
|
+ if self.request.path.startswith("//"):
|
||||||
|
+ # A redirect with two initial slashes is a "protocol-relative" URL.
|
||||||
|
+ # This means the next path segment is treated as a hostname instead
|
||||||
|
+ # of a part of the path, making this effectively an open redirect.
|
||||||
|
+ # Reject paths starting with two slashes to prevent this.
|
||||||
|
+ # This is only reachable under certain configurations.
|
||||||
|
+ raise HTTPError(
|
||||||
|
+ 403, "cannot redirect path with two initial slashes"
|
||||||
|
+ )
|
||||||
|
self.redirect(self.request.path + "/", permanent=True)
|
||||||
|
return None
|
||||||
|
absolute_path = os.path.join(absolute_path, self.default_filename)
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -11,7 +11,7 @@ ideal for real-time web services.}
|
|||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 6.1.0
|
Version: 6.1.0
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Summary: Scalable, non-blocking web server and tools
|
Summary: Scalable, non-blocking web server and tools
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
@ -20,9 +20,13 @@ Source0: https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcn
|
|||||||
|
|
||||||
# Do not turn DeprecationWarning in tornado module into Exception
|
# Do not turn DeprecationWarning in tornado module into Exception
|
||||||
# fixes FTBFS with Python 3.8
|
# fixes FTBFS with Python 3.8
|
||||||
Patch1: Do-not-turn-DeprecationWarning-into-Exception.patch
|
Patch: Do-not-turn-DeprecationWarning-into-Exception.patch
|
||||||
# Fix timeout failure in architectures such as ppc64le.
|
# Fix timeout failure in architectures such as ppc64le.
|
||||||
Patch2: Increase-timeout-in-test_request_timeout.patch
|
Patch: Increase-timeout-in-test_request_timeout.patch
|
||||||
|
|
||||||
|
# CVE-2023-28370
|
||||||
|
Patch: 0001-Add-test-for-open-redirect-issue.patch
|
||||||
|
Patch: 0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: python%{python3_pkgversion}-setuptools
|
BuildRequires: python%{python3_pkgversion}-setuptools
|
||||||
@ -68,6 +72,10 @@ export ASYNC_TEST_TIMEOUT=10
|
|||||||
%doc demos
|
%doc demos
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 25 2023 Sergio Correia <scorreia@redhat.com> - 6.1.0-9
|
||||||
|
- Fix an open redirect in StaticFileHandler
|
||||||
|
Resolves: CVE-2023-28370
|
||||||
|
|
||||||
* Wed Jun 15 2022 Sergio Correia <scorreia@redhat.com> - 6.1.0-8
|
* Wed Jun 15 2022 Sergio Correia <scorreia@redhat.com> - 6.1.0-8
|
||||||
- Fix test failure in pcc64le
|
- Fix test failure in pcc64le
|
||||||
Related: rhbz#2084553
|
Related: rhbz#2084553
|
||||||
|
Loading…
Reference in New Issue
Block a user