From 42eb552059eb1ec9df7f71c7c8dd8e6597640a93 Mon Sep 17 00:00:00 2001 From: Hamza Avvan Date: Sun, 14 Mar 2021 01:01:06 +0500 Subject: [PATCH] bpo-43223: Fix Open Redirection In http.server module Fix an open redirection vulnerability in the HTTP server when a URL contains ``//``. Added test case for bpo-43223 patch --- Lib/http/server.py | 7 +++++++ Lib/test/test_http/test_http.py | 11 +++++++++++ .../Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst | 2 ++ 3 files changed, 20 insertions(+) create mode 100644 Lib/test/test_http/test_http.py create mode 100644 Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst diff --git a/Lib/http/server.py b/Lib/http/server.py index 94f730ed3445be..af3d37841cd7c7 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -101,6 +101,7 @@ import socket # For gethostbyaddr() import socketserver import sys +import re import time import urllib.parse import contextlib @@ -332,6 +333,12 @@ def parse_request(self): return False self.command, self.path = command, path + # bpo-43223: The purpose of replacing '//' with '/' is to protect against + # open redirect attacks reside within http.server module which can be triggered + # if the path contains '//' at the beginning because web clients treat //path as + # an absolute url without scheme (similar to http://path) rather than a relative path + self.path = re.sub(r'^(/)+', '/', self.path) + # Examine the headers and look for a Connection directive. try: self.headers = http.client.parse_headers(self.rfile, diff --git a/Lib/test/test_http/test_http.py b/Lib/test/test_http/test_http.py new file mode 100644 index 00000000000000..464145af826be8 --- /dev/null +++ b/Lib/test/test_http/test_http.py @@ -0,0 +1,11 @@ +import unittest +import re + +class TestHTTP(unittest.TestCase): + + def test_http_parse_request(self): + self.assertEqual(re.sub(r'^/+', '/', '//test.com'), '/test.com', '//test.com should be converted to a proper relative path') + self.assertEqual(re.sub(r'^/+', '/', '///test.com'), '/test.com', '///test.com should be converted to a proper relative path') + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst b/Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst new file mode 100644 index 00000000000000..125b4e224aaaa9 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst @@ -0,0 +1,2 @@ +:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server when an URL contains ``//``. +Vulnerability discovered and fixed by Hamza Avvan.