diff --git a/CVE-2023-28370.patch b/CVE-2023-28370.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d384633881122be8bce7273cedb8e6677b5d06ef
--- /dev/null
+++ b/CVE-2023-28370.patch
@@ -0,0 +1,41 @@
+From c5f1581aaefb39776673e88331abf869197356aa Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Fri, 16 Jun 2023 10:35:45 +0800
+Subject: [PATCH 1/1] web: Fix an open redirect in StaticFileHandler
+
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+
+Origin:
+https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tornado/web.py b/tornado/web.py
+index a1d2aa5..1a056cc 100644
+--- a/tornado/web.py
++++ b/tornado/web.py
+@@ -2594,6 +2594,15 @@ class StaticFileHandler(RequestHandler):
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
++                if self.request.path.startswith("//"):
++                    # A redirect with two initial slashes is a "protocol-relative" URL.
++                    # This means the next path segment is treated as a hostname instead
++                    # of a part of the path, making this effectively an open redirect.
++                    # Reject paths starting with two slashes to prevent this.
++                    # This is only reachable under certain configurations.
++                    raise HTTPError(
++                        403, "cannot redirect path with two initial slashes"
++                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return
+             absolute_path = os.path.join(absolute_path, self.default_filename)
+-- 
+2.30.0
+
diff --git a/python-tornado.spec b/python-tornado.spec
index 9d7fc9a99d5f849e901121e0add03fdac19795c8..11a38ee3d251e62e74f4b92c22ac764cc1d6d74c 100644
--- a/python-tornado.spec
+++ b/python-tornado.spec
@@ -1,11 +1,12 @@
 Name:             python-tornado
 Version:          5.0.2
-Release:          7
+Release:          8
 Summary:          a Python web framework and asynchronous networking library
 License:          ASL 2.0
 URL:              http://www.tornadoweb.org
 Source0:          https://files.pythonhosted.org/packages/source/t/tornado/tornado-%{version}.tar.gz
 Patch0:           fix-erroneous-deprecation-warnings.patch
+Patch1:           CVE-2023-28370.patch
 
 BuildRequires:    gcc python2-devel python2-singledispatch python3-devel
 
@@ -62,6 +63,9 @@ and other applications that require a long-lived connection to each user.
 %{python3_sitearch}/*
 
 %changelog
+* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 5.0.2-8
+- Fix CVE-2023-28370
+
 * Mon Sep 27 2021 lingsheng <lingsheng@huawei.com> - 5.0.2-7
 - Provide python-tornado