From df7c45f76e012240eef2f4706d592971ffe169dd Mon Sep 17 00:00:00 2001
From: James Jefferies <james@shedcode.co.uk>
Date: Thu, 11 Sep 2025 21:54:06 +0100
Subject: [PATCH] Issue 2429 indicates the possiblity of an open redirect

The 404 processing ends up redirecting a request with multiple path
slashes to that site, i.e.

https://my-site//shedcode.co.uk will redirect to https://shedcode.co.uk

This commit uses a regular expression to remove the multiple leading
slashes before redirecting.
---
 datasette/app.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/datasette/app.py b/datasette/app.py
index bf6cc03f..cefb6e4e 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -1806,8 +1806,14 @@ class DatasetteRouter:
             "raw_path", request.scope["path"].encode("utf8")
         ).partition(b"?")[0]
         context = {}
+
         if path.endswith(b"/"):
             path = path.rstrip(b"/")
+
+            # If you redirect with a // at the beginning, you end up with an open redirect, so
+            # https://my.site//foo/ - will redirect to https://foo
+            path = re.sub(rb'^/+', b'/', path)
+
             if request.scope["query_string"]:
                 path += b"?" + request.scope["query_string"]
             await asgi_send_redirect(send, path.decode("latin1"))