This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author hamzaavvan
Recipients hamzaavvan, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date 2021-02-19.05:59:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1613714396.09.0.53261998931.issue43223@roundup.psfhosted.org>
In-reply-to
Content 
As for the directory issue, not only .ssh but an attacker can use any directory to make the open redirection exploitable.

And as for the HTTP Header Location, the server does not remove extra trailing slash from the PAYLOAD uri, which seems to be the cause of vulnerability getting exploited.

http://127.0.0.1:8000//attacker.com/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../.ssh

So I believe the server should check for multiple slashes and remove them from the path. 

Additionally, as you've mentioned it should also prepend the host:port/ to the new_url variable before writing the HTTP Header Location because if an attacker bypasses the protection and add an extra slash the server will still redirect to the host which is getting inserted into the Location header. But honestly I need your opinion as concatenating host to the url may lead to Host Header Injection but it'll then require a different context.

Please watch the POC video.
POC Video: https://youtu.be/rLfOoEu1XXg
History
Date User Action Args
2021-02-19 05:59:56hamzaavvansetrecipients: + hamzaavvan, paul.moore, vstinner, tim.golden, zach.ware, steve.dower
2021-02-19 05:59:56hamzaavvansetmessageid: <1613714396.09.0.53261998931.issue43223@roundup.psfhosted.org>
2021-02-19 05:59:56hamzaavvanlinkissue43223 messages
2021-02-19 05:59:55hamzaavvancreate