Skip to content

Undesired host redirect with trailing slash and host path  #9690

New issue
New issue
Closed
#9754
Closed
Undesired host redirect with trailing slash and host path #9690
#9754
Labels
area:securityRelated to security concernstype:enhancementRequests for feature enhancements or new features
@a-bro

Description

@a-bro
a-bro
opened on Oct 20, 2024

Checklist

  • I have searched the existing issues for similar issues.
  • I added a very descriptive title to this issue.
  • I have provided sufficient information below to help reproduce this issue.

Summary

If a "hostname" path is provided with a trailing slash, streamlit will respond with a redirect to the host in the path.
Example url (streamlit running locally): http://localhost:8501//authorization.site/
This will 301 redirect to authorization.site
This is undesired behavior and can lead to phishing attacks when an trusted hostname redirects to a malicious page.

This was introduced in the 1.39.0 release by #9500

Reproducible Code Example

No response

Steps To Reproduce

  1. Request a path against a streamlit server version 1.39.0 with the format {server_hostname}//{redirect_hostname}/, eg (http://localhost:8501//authorization.site/)
  2. Observe the redirect to the redirect_hostname

Expected Behavior

Expected behavior is for the server to return a 403 Forbidden response, and this was the behavior in streamlit release version 1.38.0
Example Request for Streamlit 1.38.0:

curl -v http://localhost:8080//authorization.site/
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8080...
* Connected to localhost (::1) port 8080
> GET //authorization.site/ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 403 Forbidden
< Server: TornadoServer/6.4.1
< Content-Type: text/html; charset=UTF-8
< Date: Sun, 20 Oct 2024 17:49:24 GMT
< Content-Length: 69
< Vary: Accept-Encoding
< 
* Connection #0 to host localhost left intact
<html><title>403: Forbidden</title><body>403: Forbidden</body></html>%

Current Behavior

Curl response when requesting against Streamlit version 1.39.0:

curl -v http://localhost:8080//authorization.site/
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8080...
* Connected to localhost (::1) port 8080
> GET //authorization.site/ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: TornadoServer/6.4.1
< Content-Type: text/html; charset=UTF-8
< Date: Sun, 20 Oct 2024 17:30:50 GMT
< Location: //authorization.site
< Content-Length: 0
< Vary: Accept-Encoding
< 
* Connection #0 to host localhost left intact

Is this a regression?

  • Yes, this used to work in a previous version.

Debug info

  • Streamlit version: 1.39.0
  • Python version: 3.9
  • Operating System: MacOs
  • Browser: Curl

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securityRelated to security concernstype:enhancementRequests for feature enhancements or new features

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions