diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-06-22 08:42:52 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-22 08:42:52 (GMT) |
| commit | 4dc2cae3abd75f386374d0635d00443b897d0672 (patch) | |
| tree | 94b7a077833e765916a269b55e202174d7f0d63e /Misc/NEWS.d | |
| parent | 5776f724c1957d75bd4ba0c26eab2caee9484089 (diff) | |
| download | cpython-4dc2cae3abd75f386374d0635d00443b897d0672.zip cpython-4dc2cae3abd75f386374d0635d00443b897d0672.tar.gz cpython-4dc2cae3abd75f386374d0635d00443b897d0672.tar.bz2 | |
gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94094)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Diffstat (limited to 'Misc/NEWS.d')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst new file mode 100644 index 0000000..029d437 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst @@ -0,0 +1,3 @@ +:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server +when an URI path starts with ``//``. Vulnerability discovered, and initial +fix proposed, by Hamza Avvan. |