Skip to content

[GHSA-v6wp-4m6f-gcjg] Open redirect vulnerability in normalize_path_middleware middleware #5497

Closed
Closed
[GHSA-v6wp-4m6f-gcjg] Open redirect vulnerability in normalize_path_middleware middleware#5497
Assignees
webknjaz
Labels
bugreproducer: presentThis PR or issue contains code, which reproduce the problem described or clearly understandable STRserver
@webknjaz

Description

@webknjaz
webknjaz
opened on Feb 25, 2021

🐞 Describe the bug

$sbj. A maliciously constructed link could trick an aiohttp app using normalize_path_middleware to issue an HTTP redirect to a foreign website. But not anymore. Fixed in v3.7.4.

📋 Logs/tracebacks

See GHSA-v6wp-4m6f-gcjg.

📋 Additional context

OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Our security policy: https://github.com/aio-libs/aiohttp/security/policy (TL;DR — never report security bugs in public, use designated emails for this)

👏 Credits

Thanks to @jelmer and @g147 for reporting and fixing this.

Metadata

Metadata

Assignees

Labels

bugreproducer: presentThis PR or issue contains code, which reproduce the problem described or clearly understandable STRserver

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions