Skip to content

Commit

Permalink
Merge pull request #3305 from bdarnell/redirect-test-windows
Browse files Browse the repository at this point in the history
web_test: Fix open redirect test on windows
  • Loading branch information
bdarnell authored Aug 9, 2023
2 parents 3afcc45 + 418f63a commit fe6c125
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions tornado/test/web_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -1457,10 +1457,18 @@ def test_no_open_redirect(self):
# This test verifies that the open redirect that affected some configurations
# prior to Tornado 6.3.2 is no longer possible. The vulnerability required
# a static_url_prefix of "/" and a default_filename (any value) to be set.
# The absolute server-side path to the static directory must also be known.
# The absolute* server-side path to the static directory must also be known.
#
# * Almost absolute: On windows, the drive letter is stripped from the path.
test_dir = os.path.dirname(__file__)
drive, tail = os.path.splitdrive(test_dir)
if os.name == "posix":
self.assertEqual(tail, test_dir)
else:
test_dir = tail
with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"):
response = self.fetch(
f"//evil.com/../{os.path.dirname(__file__)}/static/dir",
f"//evil.com/../{test_dir}/static/dir",
follow_redirects=False,
)
self.assertEqual(response.code, 403)
Expand Down

0 comments on commit fe6c125

Please sign in to comment.