Merge branch 'feature/UpdateTornado' into dev

2024-11-15 01:15:05 +00:00 · 2023-05-16 11:50:27 +01:00 · 2023-05-16 11:50:27 +01:00 · 8ac3d82c12
commit 8ac3d82c12
parent d335de1bbb b9f558e7ba
3 changed files with 13 additions and 3 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -12,7 +12,7 @@
 * Update Requests library 2.28.1 (ec553c2) to 2.29.0 (87d63de)
 * Update Send2Trash 1.8.1b0 (0ef9b32) to 1.8.2 (0244f53)
 * Update SimpleJSON 3.18.1 (c891b95) to 3.19.1 (aeb63ee)
-* Update Tornado Web Server 6.3.0 (7186b86) to 6.3.1 (419838b)
+* Update Tornado Web Server 6.3.0 (7186b86) to 6.3.2 (e3aa6c5)
 * Update urllib3 1.26.14 (a06c05c) to 1.26.15 (25cca389)
 * Change allow rapidfuzz update from 2.x.x to 3.x.x
 * Change remove redundant py2 import futures
@ -30,6 +30,7 @@
 [develop changelog]

 * Update filelock 3.9.0 (ce3e891) to 3.11.0 (d3241b9)
+* Update Tornado Web Server 6.3.1 (419838b) to 6.3.2 (e3aa6c5)
 * Fix tv test to init recently added ReleaseMap to scene_exceptions refactor
 * Fix double use of var `result` overwrites the return value and causes an error in _parse_custom_exceptions
 * Fix name_parser_tests and webapi_tests
--- a/lib/tornado/init.py
+++ b/lib/tornado/init.py
@ -22,8 +22,8 @@
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "6.3.1"
-version_info = (6, 3, 1, 0)
+version = "6.3.2"
+version_info = (6, 3, 2, 0)

 import importlib
 import typing
--- a/lib/tornado/web.py
+++ b/lib/tornado/web.py
@ -2879,6 +2879,15 @@ class StaticFileHandler(RequestHandler):
            # but there is some prefix to the path that was already
            # trimmed by the routing
            if not self.request.path.endswith("/"):
+                if self.request.path.startswith("//"):
+                    # A redirect with two initial slashes is a "protocol-relative" URL.
+                    # This means the next path segment is treated as a hostname instead
+                    # of a part of the path, making this effectively an open redirect.
+                    # Reject paths starting with two slashes to prevent this.
+                    # This is only reachable under certain configurations.
+                    raise HTTPError(
+                        403, "cannot redirect path with two initial slashes"
+                    )
                self.redirect(self.request.path + "/", permanent=True)
                return None
            absolute_path = os.path.join(absolute_path, self.default_filename)