diff --git a/CVE-2023-28370.patch b/CVE-2023-28370.patch deleted file mode 100644 index f99a1feaf00c89798d615f4bb9fb6c2dae95f373..0000000000000000000000000000000000000000 --- a/CVE-2023-28370.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001 -From: Ben Darnell -Date: Sat, 13 May 2023 20:58:52 -0400 -Subject: [PATCH] web: Fix an open redirect in StaticFileHandler - -Under some configurations the default_filename redirect could be exploited -to redirect to an attacker-controlled site. This change refuses to redirect -to URLs that could be misinterpreted. - -A test case for the specific vulnerable configuration will follow after the -patch has been available. ---- - tornado/web.py | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/tornado/web.py b/tornado/web.py -index 3b676e3c2..565140493 100644 ---- a/tornado/web.py -+++ b/tornado/web.py -@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str] - # but there is some prefix to the path that was already - # trimmed by the routing - if not self.request.path.endswith("/"): -+ if self.request.path.startswith("//"): -+ # A redirect with two initial slashes is a "protocol-relative" URL. -+ # This means the next path segment is treated as a hostname instead -+ # of a part of the path, making this effectively an open redirect. -+ # Reject paths starting with two slashes to prevent this. -+ # This is only reachable under certain configurations. -+ raise HTTPError( -+ 403, "cannot redirect path with two initial slashes" -+ ) - self.redirect(self.request.path + "/", permanent=True) - return None - absolute_path = os.path.join(absolute_path, self.default_filename) diff --git a/python-tornado.spec b/python-tornado.spec index b5bd4f35edf906f3a18b773f2e1f9efd50413217..22cf71672ea30c413f62ff544e7e6169c188adec 100644 --- a/python-tornado.spec +++ b/python-tornado.spec @@ -1,12 +1,11 @@ %global _empty_manifest_terminate_build 0 Name: python-tornado -Version: 6.1 -Release: 2 +Version: 6.3.2 +Release: 1 Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. License: ASL 2.0 URL: http://www.tornadoweb.org/ -Source0: https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz -Patch0: CVE-2023-28370.patch +Source0: https://files.pythonhosted.org/packages/30/f0/6e5d85d422a26fd696a1f2613ab8119495c1ebb8f49e29f428d15daf79cc/tornado-6.3.2.tar.gz %description Tornado is an open source version of the scalable, non-blocking web server and tools. @@ -73,6 +72,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Thu Jul 13 2023 liuyongshuai - 6.3.2-1 +- Upgrade version to 6.3.2-1 + * Fri Jun 16 2023 yaoxin - 6.1-2 - Fix CVE-2023-28370 diff --git a/tornado-6.1.tar.gz b/tornado-6.1.tar.gz deleted file mode 100644 index 7b2a673d10ed78b8b5b594019ead69e391dcd626..0000000000000000000000000000000000000000 Binary files a/tornado-6.1.tar.gz and /dev/null differ diff --git a/tornado-6.3.2.tar.gz b/tornado-6.3.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b0116ed073f6b84156568779c3bca639d2a6f986 Binary files /dev/null and b/tornado-6.3.2.tar.gz differ