.. _http-server-redirection:

http.server: Open Redirection if the URL path starts with //
============================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2021-28861>`_.

This security flaw causes an open redirection vulnerability in
``Lib/http/server.py`` due to no protection against multiple (``/``) at the
beginning of the URI path.

Dates:

* Disclosure date: **2021-02-14** (Python issue gh-87389 reported)
* Reported at: 2021-02-14
* Reported by: Hamza Avvan (email to PSRT)

Fixed In
--------

* Python **3.7.14** (2022-09-06) fixed by `commit 8a34afd (branch 3.7) <https://github.com/python/cpython/commit/8a34afd55258c721e446d6de4a70353c39a24148>`_ (2022-06-22)
* Python **3.8.14** (2022-09-06) fixed by `commit 4dc2cae (branch 3.8) <https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672>`_ (2022-06-22)
* Python **3.9.14** (2022-09-06) fixed by `commit defaa2b (branch 3.9) <https://github.com/python/cpython/commit/defaa2b19a9a01c79c1d5641a8aa179bb10ead3f>`_ (2022-06-22)
* Python **3.10.6** (2022-08-01) fixed by `commit 5715382 (branch 3.10) <https://github.com/python/cpython/commit/5715382d3a89ca118ce2e224d8c69550d21fe51b>`_ (2022-06-21)
* Python **3.11.0** (2022-10-24) fixed by `commit e2e8847 (branch 3.11) <https://github.com/python/cpython/commit/e2e8847bf52f4a81490653c6d13b7e3821b2c2be>`_ (2022-06-21)

Python issue
------------

[security] CVE-2021-28861: http.server: Open Redirection if the URL path starts with //.

* Python issue: `gh-87389 <https://github.com/python/cpython/issues/87389>`_
* Creation date: 2021-02-14
* Reporter: Hamza Avvan

CVE-2021-28861
--------------

** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

* CVE ID: `CVE-2021-28861 <https://nvd.nist.gov/vuln/detail/CVE-2021-28861/>`_
* Published: 2022-08-23

Timeline
--------

Timeline using the disclosure date **2021-02-14** as reference:

* 2021-02-14: Reported
* 2021-02-14: `Python issue gh-87389 <https://github.com/python/cpython/issues/87389>`_ reported by Hamza Avvan
* 2022-06-21 (**+492 days**): `commit 4abab6b (branch 3.12) <https://github.com/python/cpython/commit/4abab6b603dd38bec1168e9a37c40a48ec89508e>`_
* 2022-06-21 (**+492 days**): `commit 5715382 (branch 3.10) <https://github.com/python/cpython/commit/5715382d3a89ca118ce2e224d8c69550d21fe51b>`_
* 2022-06-21 (**+492 days**): `commit e2e8847 (branch 3.11) <https://github.com/python/cpython/commit/e2e8847bf52f4a81490653c6d13b7e3821b2c2be>`_
* 2022-06-22 (**+493 days**): `commit 4dc2cae (branch 3.8) <https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672>`_
* 2022-06-22 (**+493 days**): `commit 8a34afd (branch 3.7) <https://github.com/python/cpython/commit/8a34afd55258c721e446d6de4a70353c39a24148>`_
* 2022-06-22 (**+493 days**): `commit defaa2b (branch 3.9) <https://github.com/python/cpython/commit/defaa2b19a9a01c79c1d5641a8aa179bb10ead3f>`_
* 2022-08-01 (**+533 days**): Python 3.10.6 released
* 2022-08-23 (**+555 days**): CVE-2021-28861 published
* 2022-09-06 (**+569 days**): Python 3.7.14 released
* 2022-09-06 (**+569 days**): Python 3.8.14 released
* 2022-09-06 (**+569 days**): Python 3.9.14 released
* 2022-10-24: Python 3.11.0 released

Links
-----

* https://access.redhat.com/security/cve/CVE-2021-28861