From dfeb6f0a146662bdae5333356600926035e51861 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 16 Jun 2023 10:12:44 +0800
Subject: [PATCH] Fix CVE-2023-28370

(cherry picked from commit 3aa701180fb44fba66ac80b1137b798faa4032f9)
---
 CVE-2023-28370.patch | 35 +++++++++++++++++++++++++++++++++++
 python-tornado.spec  |  8 ++++++--
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2023-28370.patch

diff --git a/CVE-2023-28370.patch b/CVE-2023-28370.patch
new file mode 100644
index 0000000..f99a1fe
--- /dev/null
+++ b/CVE-2023-28370.patch
@@ -0,0 +1,35 @@
+From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Sat, 13 May 2023 20:58:52 -0400
+Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
+
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tornado/web.py b/tornado/web.py
+index 3b676e3c2..565140493 100644
+--- a/tornado/web.py
++++ b/tornado/web.py
+@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
++                if self.request.path.startswith("//"):
++                    # A redirect with two initial slashes is a "protocol-relative" URL.
++                    # This means the next path segment is treated as a hostname instead
++                    # of a part of the path, making this effectively an open redirect.
++                    # Reject paths starting with two slashes to prevent this.
++                    # This is only reachable under certain configurations.
++                    raise HTTPError(
++                        403, "cannot redirect path with two initial slashes"
++                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return None
+             absolute_path = os.path.join(absolute_path, self.default_filename)
diff --git a/python-tornado.spec b/python-tornado.spec
index 22b6b4c..b5bd4f3 100644
--- a/python-tornado.spec
+++ b/python-tornado.spec
@@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-tornado
 Version:	6.1
-Release:	1
+Release:	2
 Summary:	Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
 License:	ASL 2.0
 URL:		http://www.tornadoweb.org/
 Source0:	https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz
+Patch0:         CVE-2023-28370.patch
 
 %description
 Tornado is an open source version of the scalable, non-blocking web server and tools.
@@ -31,7 +32,7 @@ Provides:	python3-tornado-doc
 Tornado is an open source version of the scalable, non-blocking web server and tools.
 
 %prep
-%autosetup -n tornado-6.1
+%autosetup -n tornado-%{version} -p1
 
 %build
 %py3_build
@@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 6.1-2
+- Fix CVE-2023-28370
+
 * Thu Jul 08 2021 yaozc701 <yaozc7@foxmail.com> - 6.1-1
 - Upgrade version to 6.1
 
-- 
Gitee