File CVE-2024-41810.patch of Package python-Twisted.34943
Index: Twisted-19.10.0/src/twisted/web/newsfragments/12263.bugfix
===================================================================
--- /dev/null
+++ Twisted-19.10.0/src/twisted/web/newsfragments/12263.bugfix
@@ -0,0 +1 @@
+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810.
\ No newline at end of file
Index: Twisted-19.10.0/src/twisted/web/newsfragments/9839.bugfix
===================================================================
--- /dev/null
+++ Twisted-19.10.0/src/twisted/web/newsfragments/9839.bugfix
@@ -0,0 +1 @@
+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
Index: Twisted-19.10.0/src/twisted/web/test/test_util.py
===================================================================
--- Twisted-19.10.0.orig/src/twisted/web/test/test_util.py
+++ Twisted-19.10.0/src/twisted/web/test/test_util.py
@@ -59,6 +59,44 @@ class RedirectToTests(TestCase):
self.assertRaises(TypeError, redirectTo, targetURL, request)
+ def test_legitimateRedirect(self):
+ """
+ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
+ """
+ request = DummyRequest([b""])
+ html = redirectTo(b"https://twisted.org/", request)
+ expected = b"""
+<html>
+ <head>
+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
+ </head>
+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+ <a href=\"https://twisted.org/\">click here</a>
+ </body>
+</html>
+"""
+ self.assertEqual(html, expected)
+
+ def test_maliciousRedirect(self):
+ """
+ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
+ """
+ request = DummyRequest([b""])
+ html = redirectTo(
+ b'https://twisted.org/"><script>alert(document.location)</script>', request
+ )
+ expected = b"""
+<html>
+ <head>
+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"><script>alert(document.location)</script>\">
+ </head>
+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+ <a href=\"https://twisted.org/"><script>alert(document.location)</script>\">click here</a>
+ </body>
+</html>
+"""
+ self.assertEqual(html, expected)
+
class FailureElementTests(TestCase):
"""
Index: Twisted-19.10.0/src/twisted/web/util.py
===================================================================
--- Twisted-19.10.0.orig/src/twisted/web/util.py
+++ Twisted-19.10.0/src/twisted/web/util.py
@@ -70,7 +70,7 @@ def redirectTo(URL, request):
<a href=\"%(url)s\">click here</a>
</body>
</html>
-""" % {'url': nativeString(URL)}
+""" % {'url': nativeString(escape(URL))}
if _PY3:
content = content.encode("utf8")
return content
