Overview

File CVE-2024-41810.patch of Package python-Twisted.34938

Index: Twisted-15.2.1/twisted/web/test/test_util.py
===================================================================
--- Twisted-15.2.1.orig/twisted/web/test/test_util.py
+++ Twisted-15.2.1/twisted/web/test/test_util.py
@@ -54,6 +54,45 @@ class RedirectToTests(TestCase):
         targetURL = u'http://target.example.com/4321'
         self.assertRaises(TypeError, redirectTo, targetURL, request)
 
+    def test_legitimateRedirect(self):
+        """
+        Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
+        """
+        request = Request(DummyChannel(), True)
+        request.method = 'GET'
+        html = redirectTo("https://twisted.org/", request)
+        expected = """
+<html>
+    <head>
+        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
+    </head>
+    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+    <a href=\"https://twisted.org/\">click here</a>
+    </body>
+</html>
+"""
+        self.assertEqual(html, expected)
+
+    def test_maliciousRedirect(self):
+        """
+        Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
+        """
+        request = Request(DummyChannel(), True)
+        request.method = 'GET'
+        html = redirectTo(
+            'https://twisted.org/"><script>alert(document.location)</script>', request
+        )
+        expected = """
+<html>
+    <head>
+        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">
+    </head>
+    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+    <a href=\"https://twisted.org/"&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">click here</a>
+    </body>
+</html>
+"""
+        self.assertEqual(html, expected)
 
 
 class FailureElementTests(TestCase):
Index: Twisted-15.2.1/twisted/web/util.py
===================================================================
--- Twisted-15.2.1.orig/twisted/web/util.py
+++ Twisted-15.2.1/twisted/web/util.py
@@ -15,6 +15,7 @@ from twisted.python.reflect import fully
 from twisted.python.modules import getModule
 
 from twisted.web import resource
+from cgi import escape
 
 if not _PY3:
     # TODO: Remove when twisted.web.template and _flatten is ported
@@ -62,7 +63,7 @@ def redirectTo(URL, request):
     <a href=\"%(url)s\">click here</a>
     </body>
 </html>
-""" % {'url': nativeString(URL)}
+""" % {'url': nativeString(escape(URL))}
     if _PY3:
         content = content.encode("utf8")
     return content
openSUSE Build Service is sponsored by
Places