Add fix for open redirect

Pylons · Aug 14, 2024 · f689bcf · f689bcf
1 parent 7bf29f1
commit f689bcf
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/webob/response.py b/src/webob/response.py
@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
         if SCHEME_RE.search(value):
             return value
 
+        # This is to fix an open redirect issue due to the way that
+        # urlparse.urljoin works. See CVE-2024-42353 and
+        # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+        if value.startswith("//"):
+            value = "/%2f{}".format(value[2:])
         new_location = urlparse.urljoin(_request_uri(environ), value)
         return new_location
 

diff --git a/tests/test_response.py b/tests/test_response.py
@@ -1031,6 +1031,17 @@ def test_location():
     assert req.get_response(res).location == 'http://localhost/test2.html'
 
 
+def test_location_no_open_redirect():
+    # This is a test for a fix for CVE-2024-42353 and
+    # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+    res = Response()
+    res.status = "301"
+    res.location = "//www.example.com/test"
+    assert res.location == "//www.example.com/test"
+    req = Request.blank("/")
+    assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
+
+
 @pytest.mark.xfail(sys.version_info < (3,0),
                    reason="Python 2.x unicode != str, WSGI requires str. Test "
                    "added due to https://github.com/Pylons/webob/issues/247. "