File CVE-2020-26215.patch of Package python-notebook
From 1abd95130c3345accf002805fa7c12c7fcca5286 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Thu, 15 Oct 2020 09:39:44 +0200
Subject: [PATCH] Validate redirect target in TrailingSlashHandler
Fixes open redirect vulnerability GHSA-c7vm-f5p4-8fqh
---
notebook/base/handlers.py | 14 ++++++++++----
notebook/tests/test_paths.py | 18 ++++++++++++++++++
2 files changed, 28 insertions(+), 4 deletions(-)
Index: notebook-5.7.8/notebook/base/handlers.py
===================================================================
--- notebook-5.7.8.orig/notebook/base/handlers.py
+++ notebook-5.7.8/notebook/base/handlers.py
@@ -857,13 +857,18 @@ class APIVersionHandler(APIHandler):
class TrailingSlashHandler(web.RequestHandler):
"""Simple redirect handler that strips trailing slashes
-
+
This should be the first, highest priority handler.
"""
-
+
def get(self):
- self.redirect(self.request.uri.rstrip('/'))
-
+ path, sep, rest = self.request.uri.partition("?")
+ # trim trailing *and* leading /
+ # to avoid misinterpreting repeated '//'
+ path = "/" + path.strip("/")
+ new_uri = "".join([path, sep, rest])
+ self.redirect(new_uri)
+
post = put = get
@@ -914,6 +919,7 @@ class RedirectWithParams(web.RequestHand
url = sep.join([self._url, self.request.query])
self.redirect(url, permanent=self._permanent)
+
class PrometheusMetricsHandler(IPythonHandler):
"""
Return prometheus metrics for this notebook server
Index: notebook-5.7.8/notebook/tests/test_paths.py
===================================================================
--- notebook-5.7.8.orig/notebook/tests/test_paths.py
+++ notebook-5.7.8/notebook/tests/test_paths.py
@@ -3,6 +3,8 @@ import re
import nose.tools as nt
from notebook.base.handlers import path_regex
+from notebook.utils import url_path_join
+from .launchnotebook import NotebookTestBase
try: # py3
assert_regex = nt.assert_regex
@@ -38,3 +40,18 @@ def test_path_regex_bad():
'/y/x/foo',
):
assert_not_regex(path, path_pat)
+
+
+class RedirectTestCase(NotebookTestBase):
+ def test_trailing_slash(self):
+ for uri, expected in (
+ ("/notebooks/mynotebook/", "/notebooks/mynotebook"),
+ ("////foo///", "/foo"),
+ ("//example.com/", "/example.com"),
+ ("/has/param/?hasparam=true", "/has/param?hasparam=true"),
+ ):
+ r = self.request("GET", uri, allow_redirects=False)
+ print(uri, expected)
+ assert r.status_code == 302
+ assert "Location" in r.headers
+ assert r.headers["Location"] == url_path_join(self.url_prefix, expected)