← 返回首页
[3.8] gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) by miss-islington · Pull Request #94094 · python/cpython · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Resetting focus

[3.8] gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879)#94094

Merged
ambv merged 1 commit into
python:3.8from
miss-islington:backport-4abab6b-3.8
Jun 22, 2022
Merged

[3.8] gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879)#94094
ambv merged 1 commit into
python:3.8from
miss-islington:backport-4abab6b-3.8

Conversation

Copy link
Copy Markdown
Contributor

Fix an open redirection vulnerability in the http.server module when
an URI path starts with // that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith greg@krypto.org

…pythonGH-93879) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b) Co-authored-by: Gregory P. Smith <greg@krypto.org>

gpshead commented Jun 21, 2022

Copy link
Copy Markdown
Member

Up to the RM team to decide is this minor security fix is worth going into such an old branch. Consider our statement about http.server in https://docs.python.org/3.7/library/http.server.html.

Copy link
Copy Markdown
Contributor Author

Status check is done, and it's a success ✅ .

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type-bug An unexpected behavior, bug, or error type-security A security issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants

Footer

© 2026 GitHub, Inc.