diff --git a/SOURCES/0001-Add-test-for-open-redirect-issue.patch b/SOURCES/0001-Add-test-for-open-redirect-issue.patch new file mode 100644 index 0000000..2d40188 --- /dev/null +++ b/SOURCES/0001-Add-test-for-open-redirect-issue.patch @@ -0,0 +1,60 @@ +Subject: [PATCH 1/2] Add test for open redirect issue + +Backported from upstream: + - https://github.com/tornadoweb/tornado/commit/b56245730e +--- + tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index 5490ba2..c641ca1 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase): + self.assertTrue(response.headers["Location"].endswith("/static/dir/")) + + ++class StaticDefaultFilenameRootTest(WebTestCase): ++ def get_app_kwargs(self): ++ return dict( ++ static_path=os.path.abspath(relpath("static")), ++ static_handler_args=dict(default_filename="index.html"), ++ static_url_prefix="/", ++ ) ++ ++ def get_handlers(self): ++ return [] ++ ++ def get_http_client(self): ++ # simple_httpclient only: curl doesn't let you send a request starting ++ # with two slashes. ++ return SimpleAsyncHTTPClient() ++ ++ def test_no_open_redirect(self): ++ # This test verifies that the open redirect that affected some configurations ++ # prior to Tornado 6.3.2 is no longer possible. The vulnerability required ++ # a static_url_prefix of "/" and a default_filename (any value) to be set. ++ # The absolute server-side path to the static directory must also be known. ++ with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"): ++ response = self.fetch( ++ f"//evil.com/../{os.path.dirname(__file__)}/static/dir", ++ follow_redirects=False, ++ ) ++ self.assertEqual(response.code, 403) ++ ++ + class StaticFileWithPathTest(WebTestCase): + def get_app_kwargs(self): + return dict( +@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase): + body=b"", + headers=dict( + {"X-Xsrftoken": self.xsrf_token}, # type: ignore +- **self.cookie_headers() ++ **self.cookie_headers(), + ), + ) + self.assertEqual(response.code, 200) +-- +2.39.3 + diff --git a/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch b/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch new file mode 100644 index 0000000..161a6cc --- /dev/null +++ b/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch @@ -0,0 +1,41 @@ +From bcae82a6dd7bfed280559c8920dd89d4a48fa021 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Tue, 25 Jul 2023 06:39:23 -0400 +Subject: [PATCH 2/2] [PATCH] web: Fix an open redirect in StaticFileHandler + +Under some configurations the default_filename redirect could be exploited +to redirect to an attacker-controlled site. This change refuses to redirect +to URLs that could be misinterpreted. + +A test case for the specific vulnerable configuration will follow after the +patch has been available. + +Originally from upstream: + - https://github.com/tornadoweb/tornado/commit/8f35b31ab +--- + tornado/web.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tornado/web.py b/tornado/web.py +index 546e6ec..8410880 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler): + # but there is some prefix to the path that was already + # trimmed by the routing + if not self.request.path.endswith("/"): ++ if self.request.path.startswith("//"): ++ # A redirect with two initial slashes is a "protocol-relative" URL. ++ # This means the next path segment is treated as a hostname instead ++ # of a part of the path, making this effectively an open redirect. ++ # Reject paths starting with two slashes to prevent this. ++ # This is only reachable under certain configurations. ++ raise HTTPError( ++ 403, "cannot redirect path with two initial slashes" ++ ) + self.redirect(self.request.path + "/", permanent=True) + return None + absolute_path = os.path.join(absolute_path, self.default_filename) +-- +2.39.3 + diff --git a/SPECS/python-tornado.spec b/SPECS/python-tornado.spec index 813e9d9..00944cb 100644 --- a/SPECS/python-tornado.spec +++ b/SPECS/python-tornado.spec @@ -11,7 +11,7 @@ ideal for real-time web services.} Name: python-%{srcname} Version: 6.1.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Scalable, non-blocking web server and tools License: ASL 2.0 @@ -20,9 +20,13 @@ Source0: https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcn # Do not turn DeprecationWarning in tornado module into Exception # fixes FTBFS with Python 3.8 -Patch1: Do-not-turn-DeprecationWarning-into-Exception.patch +Patch: Do-not-turn-DeprecationWarning-into-Exception.patch # Fix timeout failure in architectures such as ppc64le. -Patch2: Increase-timeout-in-test_request_timeout.patch +Patch: Increase-timeout-in-test_request_timeout.patch + +# CVE-2023-28370 +Patch: 0001-Add-test-for-open-redirect-issue.patch +Patch: 0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch BuildRequires: gcc BuildRequires: python%{python3_pkgversion}-setuptools @@ -68,6 +72,10 @@ export ASYNC_TEST_TIMEOUT=10 %doc demos %changelog +* Tue Jul 25 2023 Sergio Correia - 6.1.0-9 +- Fix an open redirect in StaticFileHandler + Resolves: CVE-2023-28370 + * Wed Mar 15 2023 MSVSphere Packaging Team - 6.1.0-8 - Rebuilt for MSVSphere 9.1.