github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix for open redirect - identified in Issue 2429 (#2500)

Browse source 
* Issue 2429 indicates the possiblity of an open redirect

The 404 processing ends up redirecting a request with multiple path
slashes to that site, i.e.

https://my-site//shedcode.co.uk will redirect to https://shedcode.co.uk

This commit uses a regular expression to remove the multiple leading
slashes before redirecting.
This commit is contained in:
James Jefferies 2025-11-05 01:04:12 +00:00 committed by Simon Willison
commit c1dd2c1dfb
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
datasette/app.py
View file

@ -1391,6 +1391,11 @@ class DatasetteRouter:
context = {} context = {}
if path.endswith(b"/"): if path.endswith(b"/"):
path = path.rstrip(b"/") path = path.rstrip(b"/")
# If you redirect with a // at the beginning, you end up with an open redirect, so
# https://my.site//foo/ - will redirect to https://foo
path = re.sub(rb"^/+", b"/", path)
if request.scope["query_string"]: if request.scope["query_string"]:
path += b"?" + request.scope["query_string"] path += b"?" + request.scope["query_string"]
await asgi_send_redirect(send, path.decode("latin1")) await asgi_send_redirect(send, path.decode("latin1"))

6
tests/test_custom_pages.py
View file

@ -97,3 +97,9 @@ def test_custom_route_pattern_404(custom_pages_client):
assert response.status == 404 assert response.status == 404
assert "<h1>Error 404</h1>" in response.text assert "<h1>Error 404</h1>" in response.text
assert ">Oh no</" in response.text assert ">Oh no</" in response.text
def test_custom_route_pattern_with_slash_slash_302(custom_pages_client):
response = custom_pages_client.get("//nastyOpenRedirect/")
assert response.status == 302
assert response.headers["location"] == "/nastyOpenRedirect"