[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL
STINNER Victor
report at bugs.python.org
Mon Nov 20 09:24:07 EST 2017
STINNER Victor <victor.stinner at gmail.com> added the comment:
I wrote this patch, but I'm not sure that it's ok to always reject redirection URLs starting with //:
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 502bce0c7a..494031b8c2 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -673,10 +673,18 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
parts = urllib.parse.urlsplit(self.path)
if not parts.path.endswith('/'):
# redirect browser - doing basically what apache does
- self.send_response(HTTPStatus.MOVED_PERMANENTLY)
new_parts = (parts[0], parts[1], parts[2] + '/',
parts[3], parts[4])
new_url = urllib.parse.urlunsplit(new_parts)
+
+ # Browsers interpret "Location: //uri" as an absolute URI
+ # like "http://URI"
+ if new_url.startswith('//'):
+ self.send_error(HTTPStatus.BAD_REQUEST,
+ "URI must not start with //")
+ return None
+
+ self.send_response(HTTPStatus.MOVED_PERMANENTLY)
self.send_header("Location", new_url)
self.end_headers()
return None
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32084>
_______________________________________
More information about the Python-bugs-list
mailing list