From b9f558e7babee2037aaf48a469695d92f54c4074 Mon Sep 17 00:00:00 2001 From: JackDandy Date: Tue, 16 May 2023 11:49:53 +0100 Subject: [PATCH] =?UTF-8?q?Update=20Tornado=20Web=20Server=206.3.1=20(4198?= =?UTF-8?q?38b)=20=E2=86=92=206.3.2=20(e3aa6c5).?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGES.md | 3 ++- lib/tornado/__init__.py | 4 ++-- lib/tornado/web.py | 9 +++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c060e493..141afeed 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,7 +12,7 @@ * Update Requests library 2.28.1 (ec553c2) to 2.29.0 (87d63de) * Update Send2Trash 1.8.1b0 (0ef9b32) to 1.8.2 (0244f53) * Update SimpleJSON 3.18.1 (c891b95) to 3.19.1 (aeb63ee) -* Update Tornado Web Server 6.3.0 (7186b86) to 6.3.1 (419838b) +* Update Tornado Web Server 6.3.0 (7186b86) to 6.3.2 (e3aa6c5) * Update urllib3 1.26.14 (a06c05c) to 1.26.15 (25cca389) * Change allow rapidfuzz update from 2.x.x to 3.x.x * Change remove redundant py2 import futures @@ -30,6 +30,7 @@ [develop changelog] * Update filelock 3.9.0 (ce3e891) to 3.11.0 (d3241b9) +* Update Tornado Web Server 6.3.1 (419838b) to 6.3.2 (e3aa6c5) * Fix tv test to init recently added ReleaseMap to scene_exceptions refactor * Fix double use of var `result` overwrites the return value and causes an error in _parse_custom_exceptions * Fix name_parser_tests and webapi_tests diff --git a/lib/tornado/__init__.py b/lib/tornado/__init__.py index afbd7150..475c1f61 100644 --- a/lib/tornado/__init__.py +++ b/lib/tornado/__init__.py @@ -22,8 +22,8 @@ # is zero for an official release, positive for a development branch, # or negative for a release candidate or beta (after the base version # number has been incremented) -version = "6.3.1" -version_info = (6, 3, 1, 0) +version = "6.3.2" +version_info = (6, 3, 2, 0) import importlib import typing diff --git a/lib/tornado/web.py b/lib/tornado/web.py index 3b676e3c..56514049 100644 --- a/lib/tornado/web.py +++ b/lib/tornado/web.py @@ -2879,6 +2879,15 @@ class StaticFileHandler(RequestHandler): # but there is some prefix to the path that was already # trimmed by the routing if not self.request.path.endswith("/"): + if self.request.path.startswith("//"): + # A redirect with two initial slashes is a "protocol-relative" URL. + # This means the next path segment is treated as a hostname instead + # of a part of the path, making this effectively an open redirect. + # Reject paths starting with two slashes to prevent this. + # This is only reachable under certain configurations. + raise HTTPError( + 403, "cannot redirect path with two initial slashes" + ) self.redirect(self.request.path + "/", permanent=True) return None absolute_path = os.path.join(absolute_path, self.default_filename)