python3-tornado: patch CVE-2023-28370

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370 The NVD advisory mentions that the vulnerability was fixed in v6.3.2. I checked the commits in that tag, and picked the only one that's commit message described the same vulnerability as the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-08 08:46:15 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-08 22:03:03 +0100
commit: 0e149e459110ab0fb046658026f0f293f6058e2c (patch)
tree: b6541492f63481304402e9d79fb0181b2890ecaa
parent: 61ca38f45d6562bc037553032b1d8ae33454bef1 (diff)
download: meta-openembedded-0e149e459110ab0fb046658026f0f293f6058e2c.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch
new file mode 100644
index 0000000000..b8b6029753
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch
@@ -0,0 +1,39 @@
+From c5674de64189ac407e6ace51bed08899f267ae44 Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Sat, 13 May 2023 20:58:52 -0400
+Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+CVE: CVE-2023-28370
+Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/tornado/web.py b/tornado/web.py
+index 546e6ec..8410880 100644
+--- a/tornado/web.py
+++ b/tornado/web.py
+@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler):
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
+                if self.request.path.startswith("//"):
+                    # A redirect with two initial slashes is a "protocol-relative" URL.
+                    # This means the next path segment is treated as a hostname instead
+                    # of a part of the path, making this effectively an open redirect.
+                    # Reject paths starting with two slashes to prevent this.
+                    # This is only reachable under certain configurations.
+                    raise HTTPError(
+                        403, "cannot redirect path with two initial slashes"
+                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return None
+             absolute_path = os.path.join(absolute_path, self.default_filename)
diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb
index 1dedc51029..d4cb58febc 100644
--- a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb
+++ b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.tornadoweb.org/en/stable/"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+SRC_URI += "file://CVE-2023-28370.patch"
 SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321"
 SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-08 08:46:15 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-08 22:03:03 +0100
commit	0e149e459110ab0fb046658026f0f293f6058e2c (patch)
tree	b6541492f63481304402e9d79fb0181b2890ecaa
parent	61ca38f45d6562bc037553032b1d8ae33454bef1 (diff)
download	meta-openembedded-0e149e459110ab0fb046658026f0f293f6058e2c.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch new file mode 100644 index 0000000000..b8b6029753 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch
@@ -0,0 +1,39 @@
		1	From c5674de64189ac407e6ace51bed08899f267ae44 Mon Sep 17 00:00:00 2001
		2	From: Ben Darnell <ben@bendarnell.com>
		3	Date: Sat, 13 May 2023 20:58:52 -0400
		4	Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
		5
		6	Under some configurations the default_filename redirect could be exploited
		7	to redirect to an attacker-controlled site. This change refuses to redirect
		8	to URLs that could be misinterpreted.
		9
		10	A test case for the specific vulnerable configuration will follow after the
		11	patch has been available.
		12
		13	CVE: CVE-2023-28370
		14	Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f]
		15	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		16	---
		17	tornado/web.py \| 9 +++++++++
		18	1 file changed, 9 insertions(+)
		19
		20	diff --git a/tornado/web.py b/tornado/web.py
		21	index 546e6ec..8410880 100644
		22	--- a/tornado/web.py
		23	+++ b/tornado/web.py
		24	@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler):
		25	# but there is some prefix to the path that was already
		26	# trimmed by the routing
		27	if not self.request.path.endswith("/"):
		28	+ if self.request.path.startswith("//"):
		29	+ # A redirect with two initial slashes is a "protocol-relative" URL.
		30	+ # This means the next path segment is treated as a hostname instead
		31	+ # of a part of the path, making this effectively an open redirect.
		32	+ # Reject paths starting with two slashes to prevent this.
		33	+ # This is only reachable under certain configurations.
		34	+ raise HTTPError(
		35	+ 403, "cannot redirect path with two initial slashes"
		36	+ )
		37	self.redirect(self.request.path + "/", permanent=True)
		38	return None
		39	absolute_path = os.path.join(absolute_path, self.default_filename)


diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb index 1dedc51029..d4cb58febc 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.tornadoweb.org/en/stable/"
6	LICENSE = "Apache-2.0"	6	LICENSE = "Apache-2.0"
7	LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"	7	LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
8		8
		9	SRC_URI += "file://CVE-2023-28370.patch"
9	SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321"	10	SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321"
10	SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791"	11	SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791"
11		12