import python-tornado-6.4.2-1.el9_5

i9c changed/i9c/python-tornado-6.4.2-1.el9_5
MSVSphere Packaging Team 3 weeks ago
parent 90f5aa94f5
commit 81ba5bd6d1
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

2
.gitignore vendored

@ -1 +1 @@
SOURCES/tornado-6.1.0.tar.gz SOURCES/tornado-6.4.2.tar.gz

@ -1 +1 @@
c23c617c7a0205e465bebad5b8cdf289ae8402a2 SOURCES/tornado-6.1.0.tar.gz 94ec7bc896d8b62364abcfc2a906165d80e1baa6 SOURCES/tornado-6.4.2.tar.gz

@ -1,60 +0,0 @@
Subject: [PATCH 1/2] Add test for open redirect issue
Backported from upstream:
- https://github.com/tornadoweb/tornado/commit/b56245730e
---
tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index 5490ba2..c641ca1 100644
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase):
self.assertTrue(response.headers["Location"].endswith("/static/dir/"))
+class StaticDefaultFilenameRootTest(WebTestCase):
+ def get_app_kwargs(self):
+ return dict(
+ static_path=os.path.abspath(relpath("static")),
+ static_handler_args=dict(default_filename="index.html"),
+ static_url_prefix="/",
+ )
+
+ def get_handlers(self):
+ return []
+
+ def get_http_client(self):
+ # simple_httpclient only: curl doesn't let you send a request starting
+ # with two slashes.
+ return SimpleAsyncHTTPClient()
+
+ def test_no_open_redirect(self):
+ # This test verifies that the open redirect that affected some configurations
+ # prior to Tornado 6.3.2 is no longer possible. The vulnerability required
+ # a static_url_prefix of "/" and a default_filename (any value) to be set.
+ # The absolute server-side path to the static directory must also be known.
+ with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"):
+ response = self.fetch(
+ f"//evil.com/../{os.path.dirname(__file__)}/static/dir",
+ follow_redirects=False,
+ )
+ self.assertEqual(response.code, 403)
+
+
class StaticFileWithPathTest(WebTestCase):
def get_app_kwargs(self):
return dict(
@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase):
body=b"",
headers=dict(
{"X-Xsrftoken": self.xsrf_token}, # type: ignore
- **self.cookie_headers()
+ **self.cookie_headers(),
),
)
self.assertEqual(response.code, 200)
--
2.39.3

@ -1,41 +0,0 @@
From bcae82a6dd7bfed280559c8920dd89d4a48fa021 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 25 Jul 2023 06:39:23 -0400
Subject: [PATCH 2/2] [PATCH] web: Fix an open redirect in StaticFileHandler
Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.
A test case for the specific vulnerable configuration will follow after the
patch has been available.
Originally from upstream:
- https://github.com/tornadoweb/tornado/commit/8f35b31ab
---
tornado/web.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tornado/web.py b/tornado/web.py
index 546e6ec..8410880 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler):
# but there is some prefix to the path that was already
# trimmed by the routing
if not self.request.path.endswith("/"):
+ if self.request.path.startswith("//"):
+ # A redirect with two initial slashes is a "protocol-relative" URL.
+ # This means the next path segment is treated as a hostname instead
+ # of a part of the path, making this effectively an open redirect.
+ # Reject paths starting with two slashes to prevent this.
+ # This is only reachable under certain configurations.
+ raise HTTPError(
+ 403, "cannot redirect path with two initial slashes"
+ )
self.redirect(self.request.path + "/", permanent=True)
return None
absolute_path = os.path.join(absolute_path, self.default_filename)
--
2.39.3

@ -1,11 +0,0 @@
diff -Nur tornado-6.0.4/tornado/test/runtests.py tornado-6.0.4-new/tornado/test/runtests.py
--- tornado-6.0.4/tornado/test/runtests.py 2020-03-02 20:21:37.000000000 +0100
+++ tornado-6.0.4-new/tornado/test/runtests.py 2020-09-14 09:21:31.818678680 +0200
@@ -126,7 +126,6 @@
# Tornado generally shouldn't use anything deprecated, but some of
# our dependencies do (last match wins).
warnings.filterwarnings("ignore", category=DeprecationWarning)
- warnings.filterwarnings("error", category=DeprecationWarning, module=r"tornado\..*")
warnings.filterwarnings("ignore", category=PendingDeprecationWarning)
warnings.filterwarnings(
"error", category=PendingDeprecationWarning, module=r"tornado\..*"

@ -10,24 +10,17 @@ handle thousands of simultaneous standing connections, which means it is
ideal for real-time web services.} ideal for real-time web services.}
Name: python-%{srcname} Name: python-%{srcname}
Version: 6.1.0 Version: 6.4.2
Release: 9%{?dist} Release: 1%{?dist}
Summary: Scalable, non-blocking web server and tools Summary: Scalable, non-blocking web server and tools
License: ASL 2.0 License: ASL 2.0
URL: https://www.tornadoweb.org URL: https://www.tornadoweb.org
Source0: https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcname}-%{version}.tar.gz Source0: https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcname}-%{version}.tar.gz
# Do not turn DeprecationWarning in tornado module into Exception
# fixes FTBFS with Python 3.8
Patch: Do-not-turn-DeprecationWarning-into-Exception.patch
# Fix timeout failure in architectures such as ppc64le. # Fix timeout failure in architectures such as ppc64le.
Patch: Increase-timeout-in-test_request_timeout.patch Patch: Increase-timeout-in-test_request_timeout.patch
# CVE-2023-28370
Patch: 0001-Add-test-for-open-redirect-issue.patch
Patch: 0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-devel
@ -72,6 +65,10 @@ export ASYNC_TEST_TIMEOUT=10
%doc demos %doc demos
%changelog %changelog
* Tue Nov 26 2024 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
- Update to 6.4.2
Resolves: RHEL-68663
* Tue Jul 25 2023 Sergio Correia <scorreia@redhat.com> - 6.1.0-9 * Tue Jul 25 2023 Sergio Correia <scorreia@redhat.com> - 6.1.0-9
- Fix an open redirect in StaticFileHandler - Fix an open redirect in StaticFileHandler
Resolves: CVE-2023-28370 Resolves: CVE-2023-28370

Loading…
Cancel
Save