◐ Shell reader mode source ↗

[3.9] gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879)#94093

Merged

ambv merged 1 commit into

miss-islington:backport-4abab6b-3.9

Jun 22, 2022

miss-islington commented Jun 21, 2022 •

edited

Loading

Copy link Copy Markdown

Contributor

Fix an open redirection vulnerability in the http.server module when
an URI path starts with // that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith greg@krypto.org

Automerge-Triggered-By: GH:gpshead


          pythongh-87389: Fix an open redirection vulnerability in http.server. (…

…

31dbe66

…pythonGH-93879)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-bot added the awaiting review label Jun 21, 2022

miss-islington commented Jun 21, 2022

Copy link Copy Markdown

Contributor Author

Status check is done, and it's a success ✅ .

3 similar comments

miss-islington commented Jun 21, 2022

Copy link Copy Markdown

Contributor Author

Status check is done, and it's a success ✅ .

miss-islington commented Jun 21, 2022

Copy link Copy Markdown

Contributor Author

Status check is done, and it's a success ✅ .

miss-islington commented Jun 21, 2022

Copy link Copy Markdown

Contributor Author

Status check is done, and it's a success ✅ .

bedevere-bot added An unexpected behavior, bug, or error type-security A security issue labels Jun 21, 2022

bedevere-bot mentioned this pull request Jun 21, 2022

gh-87389: Fix an open redirection vulnerability in http.server. #93879

Merged

gpshead approved these changes Jun 21, 2022

View reviewed changes

bedevere-bot added awaiting merge and removed awaiting review labels Jun 21, 2022

gpshead added the 🤖 automerge label Jun 21, 2022

ambv commented Jun 21, 2022

Copy link Copy Markdown

Contributor

@gpshead 3.9 won't automerge anymore either without RMs landing it. It is now also "such an old branch" 🥲

gpshead removed the 🤖 automerge label Jun 21, 2022

miss-islington commented Jun 21, 2022

Copy link Copy Markdown

Contributor Author

Status check is done, and it's a success ✅ .

miss-islington commented Jun 21, 2022

Copy link Copy Markdown

Contributor Author

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

ambv merged commit defaa2b into python:3.9 Jun 22, 2022

bedevere-bot removed the awaiting merge label Jun 22, 2022

miss-islington deleted the backport-4abab6b-3.9 branch June 22, 2022 08:42

ambv mentioned this pull request Jun 22, 2022

[3.7] gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) #94095

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Assignees

No one assigned

Labels

type-bug type-security A security issue

Projects

Milestone

No milestone