]> git.ipfire.org Git - thirdparty/tornado.git/commit
projects / thirdparty / tornado.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aca0a2f) | patch
web: Fix an open redirect in StaticFileHandler 3266/head
authorBen Darnell <ben@bendarnell.com>
Sun, 14 May 2023 00:58:52 +0000 (20:58 -0400)
committerBen Darnell <ben@bendarnell.com>
Sun, 14 May 2023 00:58:52 +0000 (20:58 -0400)
commit8f35b31ab82f5b665460966cec7c1bef323137c1
tree207468858e78896782a0d54b23b2e5ee87e150c2tree
parentaca0a2f26ba6c6a24ad8aa7c93aeda5f1beb0ff5commit | diff
web: Fix an open redirect in StaticFileHandler

Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.

A test case for the specific vulnerable configuration will follow after the
patch has been available.
tornado/web.py diff | blob | blame | history
Mirror of https://github.com/tornadoweb/tornado.git