summaryrefslogtreecommitdiffstats
path: root/Misc/NEWS.d/next
diff options
context:
space:
mode:
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>2022-06-22 08:42:52 (GMT)
committerGitHub <noreply@github.com>2022-06-22 08:42:52 (GMT)
commit4dc2cae3abd75f386374d0635d00443b897d0672 (patch)
tree94b7a077833e765916a269b55e202174d7f0d63e /Misc/NEWS.d/next
parent5776f724c1957d75bd4ba0c26eab2caee9484089 (diff)
downloadcpython-4dc2cae3abd75f386374d0635d00443b897d0672.zip
cpython-4dc2cae3abd75f386374d0635d00443b897d0672.tar.gz
cpython-4dc2cae3abd75f386374d0635d00443b897d0672.tar.bz2
gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94094)
Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) Co-authored-by: Gregory P. Smith <greg@krypto.org>
Diffstat (limited to 'Misc/NEWS.d/next')
-rw-r--r--Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst3
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
new file mode 100644
index 0000000..029d437
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
@@ -0,0 +1,3 @@
+:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server
+when an URI path starts with ``//``. Vulnerability discovered, and initial
+fix proposed, by Hamza Avvan.