]> git.ipfire.org Git - thirdparty/tornado.git/commit
projects / thirdparty / tornado.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e0fa53e) | patch
web: Fix an open redirect in StaticFileHandler
authorBen Darnell <ben@bendarnell.com>
Sun, 14 May 2023 00:58:52 +0000 (20:58 -0400)
committerBen Darnell <ben@bendarnell.com>
Sun, 14 May 2023 01:30:02 +0000 (21:30 -0400)
commit32ad07c54e607839273b4e1819c347f5c8976b2f
tree5c54862140ee123a3de9802bb4992bf16f78bb46tree | snapshot
parente0fa53ee96db720dc7800d0248c39a4ffb8911e9commit | diff
web: Fix an open redirect in StaticFileHandler

Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.

A test case for the specific vulnerable configuration will follow after the
patch has been available.
tornado/web.py diff | blob | blame | history
Mirror of https://github.com/tornadoweb/tornado.git