File CVE-2024-42353-url-redirection.patch of Package python-WebOb.35287
From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
From: Delta Regeer <xistence@0x58.com>
Date: Wed, 7 Aug 2024 11:15:35 -0600
Subject: [PATCH] Add fix for open redirect
---
src/webob/response.py | 5 +++++
tests/test_response.py | 11 +++++++++++
2 files changed, 16 insertions(+)
Index: WebOb-1.2.3/tests/test_response.py
===================================================================
--- WebOb-1.2.3.orig/tests/test_response.py
+++ WebOb-1.2.3/tests/test_response.py
@@ -1029,3 +1029,13 @@ def test_cache_expires_set_zero_then_non
ok_(not res.cache_control.no_store)
ok_(not res.cache_control.must_revalidate)
eq_(res.cache_control.max_age, 1)
+
+def test_location_no_open_redirect():
+ # This is a test for a fix for CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ res = Response()
+ res.status = "301"
+ res.location = "//www.example.com/test"
+ assert res.location == "//www.example.com/test"
+ req = Request.blank("/")
+ assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
Index: WebOb-1.2.3/webob/response.py
===================================================================
--- WebOb-1.2.3.orig/webob/response.py
+++ WebOb-1.2.3/webob/response.py
@@ -1033,6 +1033,11 @@ class Response(object):
if name.lower() == 'location':
if SCHEME_RE.search(value):
break
+ # This is to fix an open redirect issue due to the way that
+ # urlparse.urljoin works. See CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ if value.startswith("//"):
+ value = "/%2f{}".format(value[2:])
new_location = urlparse.urljoin(_request_uri(environ), value)
headerlist[i] = (name, new_location)
break
