Merge branch 'feature/UpdateTornado' into dev

This commit is contained in:
JackDandy 2023-05-16 11:50:27 +01:00
commit 8ac3d82c12
3 changed files with 13 additions and 3 deletions

View file

@ -12,7 +12,7 @@
* Update Requests library 2.28.1 (ec553c2) to 2.29.0 (87d63de) * Update Requests library 2.28.1 (ec553c2) to 2.29.0 (87d63de)
* Update Send2Trash 1.8.1b0 (0ef9b32) to 1.8.2 (0244f53) * Update Send2Trash 1.8.1b0 (0ef9b32) to 1.8.2 (0244f53)
* Update SimpleJSON 3.18.1 (c891b95) to 3.19.1 (aeb63ee) * Update SimpleJSON 3.18.1 (c891b95) to 3.19.1 (aeb63ee)
* Update Tornado Web Server 6.3.0 (7186b86) to 6.3.1 (419838b) * Update Tornado Web Server 6.3.0 (7186b86) to 6.3.2 (e3aa6c5)
* Update urllib3 1.26.14 (a06c05c) to 1.26.15 (25cca389) * Update urllib3 1.26.14 (a06c05c) to 1.26.15 (25cca389)
* Change allow rapidfuzz update from 2.x.x to 3.x.x * Change allow rapidfuzz update from 2.x.x to 3.x.x
* Change remove redundant py2 import futures * Change remove redundant py2 import futures
@ -30,6 +30,7 @@
[develop changelog] [develop changelog]
* Update filelock 3.9.0 (ce3e891) to 3.11.0 (d3241b9) * Update filelock 3.9.0 (ce3e891) to 3.11.0 (d3241b9)
* Update Tornado Web Server 6.3.1 (419838b) to 6.3.2 (e3aa6c5)
* Fix tv test to init recently added ReleaseMap to scene_exceptions refactor * Fix tv test to init recently added ReleaseMap to scene_exceptions refactor
* Fix double use of var `result` overwrites the return value and causes an error in _parse_custom_exceptions * Fix double use of var `result` overwrites the return value and causes an error in _parse_custom_exceptions
* Fix name_parser_tests and webapi_tests * Fix name_parser_tests and webapi_tests

View file

@ -22,8 +22,8 @@
# is zero for an official release, positive for a development branch, # is zero for an official release, positive for a development branch,
# or negative for a release candidate or beta (after the base version # or negative for a release candidate or beta (after the base version
# number has been incremented) # number has been incremented)
version = "6.3.1" version = "6.3.2"
version_info = (6, 3, 1, 0) version_info = (6, 3, 2, 0)
import importlib import importlib
import typing import typing

View file

@ -2879,6 +2879,15 @@ class StaticFileHandler(RequestHandler):
# but there is some prefix to the path that was already # but there is some prefix to the path that was already
# trimmed by the routing # trimmed by the routing
if not self.request.path.endswith("/"): if not self.request.path.endswith("/"):
if self.request.path.startswith("//"):
# A redirect with two initial slashes is a "protocol-relative" URL.
# This means the next path segment is treated as a hostname instead
# of a part of the path, making this effectively an open redirect.
# Reject paths starting with two slashes to prevent this.
# This is only reachable under certain configurations.
raise HTTPError(
403, "cannot redirect path with two initial slashes"
)
self.redirect(self.request.path + "/", permanent=True) self.redirect(self.request.path + "/", permanent=True)
return None return None
absolute_path = os.path.join(absolute_path, self.default_filename) absolute_path = os.path.join(absolute_path, self.default_filename)