Issue 2429 indicates the possiblity of an open redirect

The 404 processing ends up redirecting a request with multiple path slashes to that site, i.e. https://my-site//shedcode.co.uk will redirect to https://shedcode.co.uk This commit uses a regular expression to remove the multiple leading slashes before redirecting.
2025-12-10 16:51:24 +01:00 · 2025-09-11 21:54:06 +01:00 · 2025-09-11 21:54:06 +01:00 · df7c45f76e
commit df7c45f76e
parent 7a602140df
1 changed files with 6 additions and 0 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -1806,8 +1806,14 @@ class DatasetteRouter:
            "raw_path", request.scope["path"].encode("utf8")
        ).partition(b"?")[0]
        context = {}
+
        if path.endswith(b"/"):
            path = path.rstrip(b"/")
+
+            # If you redirect with a // at the beginning, you end up with an open redirect, so
+            # https://my.site//foo/ - will redirect to https://foo
+            path = re.sub(rb'^/+', b'/', path)
+
            if request.scope["query_string"]:
                path += b"?" + request.scope["query_string"]
            await asgi_send_redirect(send, path.decode("latin1"))