[GHSA-v6wp-4m6f-gcjg] Open redirect vulnerability in normalize_path_middleware middleware
#5497
Assignees
Labels
bug
reproducer: present
This PR or issue contains code, which reproduce the problem described or clearly understandable STR
server
Comments
webknjaz
added a commit
that referenced
this issue
Feb 25, 2021
webknjaz
changed the title
normalize_path_middleware middleware
webknjaz
added
reproducer: present
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
🐞 Describe the bug
$sbj. A maliciously constructed link could trick an aiohttp app using
normalize_path_middlewareto issue an HTTP redirect to a foreign website. But not anymore. Fixed in v3.7.4.📋 Logs/tracebacks
See GHSA-v6wp-4m6f-gcjg.
📋 Additional context
OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
Our security policy: https://github.com/aio-libs/aiohttp/security/policy (TL;DR — never report security bugs in public, use designated emails for this)
👏 Credits
Thanks to @jelmer and @g147 for reporting and fixing this.
The text was updated successfully, but these errors were encountered: