github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix for open redirect - identified in Issue 2429 (#2500)

Browse source 
* Issue 2429 indicates the possiblity of an open redirect

The 404 processing ends up redirecting a request with multiple path
slashes to that site, i.e.

https://my-site//shedcode.co.uk will redirect to https://shedcode.co.uk

This commit uses a regular expression to remove the multiple leading
slashes before redirecting.
This commit is contained in:
James Jefferies 2025-11-05 01:04:12 +00:00 committed by GitHub
commit f257ca6edb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tests/test_custom_pages.py
View file

@ -97,3 +97,9 @@ def test_custom_route_pattern_404(custom_pages_client):
assert response.status == 404
assert "<h1>Error 404</h1>" in response.text
assert ">Oh no</" in response.text
def test_custom_route_pattern_with_slash_slash_302(custom_pages_client):
response = custom_pages_client.get("//nastyOpenRedirect/")
assert response.status == 302
assert response.headers["location"] == "/nastyOpenRedirect"