http.server: Open Redirection if the URL path starts with //

This security flaw causes an open redirection vulnerability in Lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path.

Dates:

  • Disclosure date: 2021-02-14 (Python issue gh-87389 reported)
  • Reported at: 2021-02-14
  • Reported by: Hamza Avvan (email to PSRT)

Fixed In

Python issue

[security] CVE-2021-28861: http.server: Open Redirection if the URL path starts with //.

  • Python issue: gh-87389
  • Creation date: 2021-02-14
  • Reporter: Hamza Avvan

CVE-2021-28861

** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states “Warning: http.server is not recommended for production. It only implements basic security checks.”

Timeline

Timeline using the disclosure date 2021-02-14 as reference: