Skip to content

Disallow double slash paths to redirect #9754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kmcgrady merged 1 commit into from
Oct 31, 2024
Merged

Disallow double slash paths to redirect #9754

kmcgrady merged 1 commit into from
Oct 31, 2024

Conversation

@kmcgrady
Copy link
Collaborator

@kmcgrady kmcgrady commented Oct 30, 2024
edited
Loading

Describe your changes

We amend the call to remove the slash at the end if necessary. However, paths with double slashes //my-path create an invalid redirect that can cause security issues. This change prevents the double slash from matching with this route.

GitHub Issue Link (if applicable)

closes #9690

Testing Plan

  • Updated Unit Tests
  • Verified manually that redirect works as needed and fails with a double slash (and with a URL encoded double slash)

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

@kmcgrady kmcgrady added change:bugfix PR contains bug fix implementation impact:users PR changes affect end users labels Oct 30, 2024
@kmcgrady kmcgrady requested a review from a team as a code owner October 30, 2024 19:50
@kmcgrady kmcgrady added the security-assessment-completed Security assessment has been completed for PR label Oct 30, 2024
lukasmasuch
lukasmasuch approved these changes Oct 30, 2024
View reviewed changes
Copy link
Collaborator

@lukasmasuch lukasmasuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another approval since PR requires server code owner

@kmcgrady kmcgrady merged commit cabd592 into develop Oct 31, 2024
@kmcgrady kmcgrady deleted the fix/redirect branch October 31, 2024 17:15
edegp pushed a commit to edegp/streamlit that referenced this pull request Jan 19, 2025
@kmcgrady @edegp
Disallow double slash paths to redirect (streamlit#9754)
a314a8a 
## Describe your changes

We amend the call to remove the slash at the end if necessary. However,
paths with double slashes `//my-path` create an invalid redirect that
can cause security issues. This change prevents the double slash from
matching with this route.

## GitHub Issue Link (if applicable)
closes streamlit#9690

## Testing Plan

- Updated Unit Tests
- Verified manually that redirect works as needed and fails with a
double slash (and with a URL encoded double slash)

---

**Contribution License Agreement**

By submitting this pull request you agree that all contributions to this
project are made under the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukasmasuch lukasmasuch lukasmasuch approved these changes

@mayagbarnes mayagbarnes mayagbarnes approved these changes

@sfc-gh-mbarnes sfc-gh-mbarnes sfc-gh-mbarnes approved these changes

+1 more reviewer

@kajarenc kajarenc kajarenc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

change:bugfix PR contains bug fix implementation impact:users PR changes affect end users security-assessment-completed Security assessment has been completed for PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Undesired host redirect with trailing slash and host path

6 participants

@kmcgrady @lukasmasuch @kajarenc @mayagbarnes @sfc-gh-mbarnes