import python-tornado-6.1.0-9.el9

1 year ago · 90f5aa94f5
parent 6610c803a3
commit 90f5aa94f5
3 changed files with 112 additions and 3 deletions
--- a/SOURCES/0001-Add-test-for-open-redirect-issue.patch
+++ b/SOURCES/0001-Add-test-for-open-redirect-issue.patch
@ -0,0 +1,60 @@
 Subject: [PATCH 1/2] Add test for open redirect issue
 Backported from upstream:
 - https://github.com/tornadoweb/tornado/commit/b56245730e
 ---
 tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)
 diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
 index 5490ba2..c641ca1 100644
 --- a/tornado/test/web_test.py
 +++ b/tornado/test/web_test.py
@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase):
         self.assertTrue(response.headers["Location"].endswith("/static/dir/"))
 +class StaticDefaultFilenameRootTest(WebTestCase):
 +    def get_app_kwargs(self):
 +        return dict(
 +            static_path=os.path.abspath(relpath("static")),
 +            static_handler_args=dict(default_filename="index.html"),
 +            static_url_prefix="/",
 +        )
 +
 +    def get_handlers(self):
 +        return []
 +
 +    def get_http_client(self):
 +        # simple_httpclient only: curl doesn't let you send a request starting
 +        # with two slashes.
 +        return SimpleAsyncHTTPClient()
 +
 +    def test_no_open_redirect(self):
 +        # This test verifies that the open redirect that affected some configurations
 +        # prior to Tornado 6.3.2 is no longer possible. The vulnerability required
 +        # a static_url_prefix of "/" and a default_filename (any value) to be set.
 +        # The absolute server-side path to the static directory must also be known.
 +        with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"):
 +            response = self.fetch(
 +                f"//evil.com/../{os.path.dirname(__file__)}/static/dir",
 +                follow_redirects=False,
 +            )
 +        self.assertEqual(response.code, 403)
 +
 +
 class StaticFileWithPathTest(WebTestCase):
     def get_app_kwargs(self):
         return dict(
@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase):
             body=b"",
             headers=dict(
                 {"X-Xsrftoken": self.xsrf_token},  # type: ignore
 -                **self.cookie_headers()
 +                **self.cookie_headers(),
             ),
         )
         self.assertEqual(response.code, 200)
 -- 
 2.39.3
--- a/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch
+++ b/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch
@ -0,0 +1,41 @@
 From bcae82a6dd7bfed280559c8920dd89d4a48fa021 Mon Sep 17 00:00:00 2001
 From: Ben Darnell <ben@bendarnell.com>
 Date: Tue, 25 Jul 2023 06:39:23 -0400
 Subject: [PATCH 2/2] [PATCH] web: Fix an open redirect in StaticFileHandler
 Under some configurations the default_filename redirect could be exploited
 to redirect to an attacker-controlled site. This change refuses to redirect
 to URLs that could be misinterpreted.
 A test case for the specific vulnerable configuration will follow after the
 patch has been available.
 Originally from upstream:
  - https://github.com/tornadoweb/tornado/commit/8f35b31ab
 ---
 tornado/web.py | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/tornado/web.py b/tornado/web.py
 index 546e6ec..8410880 100644
 --- a/tornado/web.py
 +++ b/tornado/web.py
@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler):
             # but there is some prefix to the path that was already
             # trimmed by the routing
             if not self.request.path.endswith("/"):
 +                if self.request.path.startswith("//"):
 +                    # A redirect with two initial slashes is a "protocol-relative" URL.
 +                    # This means the next path segment is treated as a hostname instead
 +                    # of a part of the path, making this effectively an open redirect.
 +                    # Reject paths starting with two slashes to prevent this.
 +                    # This is only reachable under certain configurations.
 +                    raise HTTPError(
 +                        403, "cannot redirect path with two initial slashes"
 +                    )
                 self.redirect(self.request.path + "/", permanent=True)
                 return None
             absolute_path = os.path.join(absolute_path, self.default_filename)
 -- 
 2.39.3
--- a/SPECS/python-tornado.spec
+++ b/SPECS/python-tornado.spec
@ -11,7 +11,7 @@ ideal for real-time web services.}
 Name:           python-%{srcname}
 Version:        6.1.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Scalable, non-blocking web server and tools
 License:        ASL 2.0
@ -20,9 +20,13 @@ Source0:        https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcn
 # Do not turn DeprecationWarning in tornado module into Exception
 # fixes FTBFS with Python 3.8
-Patch1:         Do-not-turn-DeprecationWarning-into-Exception.patch
+Patch:         Do-not-turn-DeprecationWarning-into-Exception.patch
 # Fix timeout failure in architectures such as ppc64le.
-Patch2:         Increase-timeout-in-test_request_timeout.patch
+Patch:         Increase-timeout-in-test_request_timeout.patch
 # CVE-2023-28370
 Patch: 0001-Add-test-for-open-redirect-issue.patch
 Patch: 0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch
 BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-setuptools
@ -68,6 +72,10 @@ export ASYNC_TEST_TIMEOUT=10
 %doc demos
 %changelog
 * Tue Jul 25 2023 Sergio Correia <scorreia@redhat.com> - 6.1.0-9
 - Fix an open redirect in StaticFileHandler
  Resolves: CVE-2023-28370
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 6.1.0-8
 - Rebuilt for MSVSphere 9.1.