mirror of
https://github.com/PartialVolume/shredos.x86_64.git
synced 2026-02-20 17:42:10 +00:00
Upgrade ShredOS to buildroot v24.11
This commit is contained in:
@@ -1,42 +0,0 @@
|
||||
From ac79778c91bd9a4a92111f7e06d4b12674571113 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Darnell <ben@bendarnell.com>
|
||||
Date: Sat, 13 May 2023 20:58:52 -0400
|
||||
Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
|
||||
|
||||
Under some configurations the default_filename redirect could be exploited
|
||||
to redirect to an attacker-controlled site. This change refuses to redirect
|
||||
to URLs that could be misinterpreted.
|
||||
|
||||
A test case for the specific vulnerable configuration will follow after the
|
||||
patch has been available.
|
||||
|
||||
Upstream: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
|
||||
[Thomas: backported to fix CVE-2023-28370]
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
tornado/web.py | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/tornado/web.py b/tornado/web.py
|
||||
index cd6a81b4..05b571eb 100644
|
||||
--- a/tornado/web.py
|
||||
+++ b/tornado/web.py
|
||||
@@ -2806,6 +2806,15 @@ class StaticFileHandler(RequestHandler):
|
||||
# but there is some prefix to the path that was already
|
||||
# trimmed by the routing
|
||||
if not self.request.path.endswith("/"):
|
||||
+ if self.request.path.startswith("//"):
|
||||
+ # A redirect with two initial slashes is a "protocol-relative" URL.
|
||||
+ # This means the next path segment is treated as a hostname instead
|
||||
+ # of a part of the path, making this effectively an open redirect.
|
||||
+ # Reject paths starting with two slashes to prevent this.
|
||||
+ # This is only reachable under certain configurations.
|
||||
+ raise HTTPError(
|
||||
+ 403, "cannot redirect path with two initial slashes"
|
||||
+ )
|
||||
self.redirect(self.request.path + "/", permanent=True)
|
||||
return None
|
||||
absolute_path = os.path.join(absolute_path, self.default_filename)
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# md5, sha256 from https://pypi.org/pypi/tornado/json
|
||||
md5 32fbad606b439c3e1bf4e79d4e872741 tornado-6.2.tar.gz
|
||||
sha256 9b630419bde84ec666bfd7ea0a4cb2a8a651c2d5cccdbdd1972a0c859dfc3c13 tornado-6.2.tar.gz
|
||||
md5 07ebd88a2a7acee1b819738f3f4ca7ef tornado-6.4.1.tar.gz
|
||||
sha256 92d3ab53183d8c50f8204a51e6f91d18a15d5ef261e84d452800d4ff6fc504e9 tornado-6.4.1.tar.gz
|
||||
# Locally computed sha256 checksums
|
||||
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
|
||||
|
||||
@@ -4,15 +4,13 @@
|
||||
#
|
||||
################################################################################
|
||||
|
||||
PYTHON_TORNADO_VERSION = 6.2
|
||||
PYTHON_TORNADO_VERSION = 6.4.1
|
||||
PYTHON_TORNADO_SOURCE = tornado-$(PYTHON_TORNADO_VERSION).tar.gz
|
||||
PYTHON_TORNADO_SITE = https://files.pythonhosted.org/packages/f3/9e/225a41452f2d9418d89be5e32cf824c84fe1e639d350d6e8d49db5b7f73a
|
||||
PYTHON_TORNADO_SITE = https://files.pythonhosted.org/packages/ee/66/398ac7167f1c7835406888a386f6d0d26ee5dbf197d8a571300be57662d3
|
||||
PYTHON_TORNADO_LICENSE = Apache-2.0
|
||||
PYTHON_TORNADO_LICENSE_FILES = LICENSE
|
||||
PYTHON_TORNADO_CPE_ID_VENDOR = tornadoweb
|
||||
PYTHON_TORNADO_CPE_ID_PRODUCT = tornado
|
||||
PYTHON_TORNADO_SETUP_TYPE = setuptools
|
||||
# 0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch
|
||||
PYTHON_TORNADO_IGNORE_CVES += CVE-2023-28370
|
||||
|
||||
$(eval $(python-package))
|
||||
|
||||
Reference in New Issue
Block a user