From f257ca6edb64848c3b04b54d41e347c54fe57c05 Mon Sep 17 00:00:00 2001
From: James Jefferies <james@shedcode.co.uk>
Date: Wed, 5 Nov 2025 01:04:12 +0000
Subject: [PATCH] Fix for open redirect - identified in Issue 2429 (#2500)

* Issue 2429 indicates the possiblity of an open redirect

The 404 processing ends up redirecting a request with multiple path
slashes to that site, i.e.

https://my-site//shedcode.co.uk will redirect to https://shedcode.co.uk

This commit uses a regular expression to remove the multiple leading
slashes before redirecting.
---
 datasette/app.py           | 5 +++++
 tests/test_custom_pages.py | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/datasette/app.py b/datasette/app.py
index 09936b3a..be507241 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -2150,6 +2150,11 @@ class DatasetteRouter:
         context = {}
         if path.endswith(b"/"):
             path = path.rstrip(b"/")
+
+            # If you redirect with a // at the beginning, you end up with an open redirect, so
+            # https://my.site//foo/ - will redirect to https://foo
+            path = re.sub(rb"^/+", b"/", path)
+
             if request.scope["query_string"]:
                 path += b"?" + request.scope["query_string"]
             await asgi_send_redirect(send, path.decode("latin1"))
diff --git a/tests/test_custom_pages.py b/tests/test_custom_pages.py
index f2cfe394..ccc139ce 100644
--- a/tests/test_custom_pages.py
+++ b/tests/test_custom_pages.py
@@ -97,3 +97,9 @@ def test_custom_route_pattern_404(custom_pages_client):
     assert response.status == 404
     assert "<h1>Error 404</h1>" in response.text
     assert ">Oh no</" in response.text
+
+
+def test_custom_route_pattern_with_slash_slash_302(custom_pages_client):
+    response = custom_pages_client.get("//nastyOpenRedirect/")
+    assert response.status == 302
+    assert response.headers["location"] == "/nastyOpenRedirect"