Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370
The NVD advisory mentions that the vulnerability was fixed in v6.3.2. I checked the commits in that tag, and picked the only one that's commit message described the same vulnerability as the NVD report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python3-tornado/CVE-2023-28370.patch | 39 +++++++++++++++++++ .../python/python3-tornado_6.1.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch new file mode 100644 index 0000000000..b8b6029753 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch @@ -0,0 +1,39 @@ +From c5674de64189ac407e6ace51bed08899f267ae44 Mon Sep 17 00:00:00 2001 +From: Ben Darnell <[email protected]> +Date: Sat, 13 May 2023 20:58:52 -0400 +Subject: [PATCH] web: Fix an open redirect in StaticFileHandler + +Under some configurations the default_filename redirect could be exploited +to redirect to an attacker-controlled site. This change refuses to redirect +to URLs that could be misinterpreted. + +A test case for the specific vulnerable configuration will follow after the +patch has been available. + +CVE: CVE-2023-28370 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + tornado/web.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tornado/web.py b/tornado/web.py +index 546e6ec..8410880 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler): + # but there is some prefix to the path that was already + # trimmed by the routing + if not self.request.path.endswith("/"): ++ if self.request.path.startswith("//"): ++ # A redirect with two initial slashes is a "protocol-relative" URL. ++ # This means the next path segment is treated as a hostname instead ++ # of a part of the path, making this effectively an open redirect. ++ # Reject paths starting with two slashes to prevent this. ++ # This is only reachable under certain configurations. ++ raise HTTPError( ++ 403, "cannot redirect path with two initial slashes" ++ ) + self.redirect(self.request.path + "/", permanent=True) + return None + absolute_path = os.path.join(absolute_path, self.default_filename) diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb index 1dedc51029..d4cb58febc 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb @@ -6,6 +6,7 @@ HOMEPAGE = "http://www.tornadoweb.org/en/stable/"; LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" +SRC_URI += "file://CVE-2023-28370.patch" SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321" SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123250): https://lists.openembedded.org/g/openembedded-devel/message/123250 Mute This Topic: https://lists.openembedded.org/mt/117149087/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
