Release 6.1.5

Merge pull request from GHSA-c7vm-f5p4-8fqh
[6.x] Fix GHSA-c7vm-f5p4-8fqh
5 changed files with 39 additions and 6 deletions
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@ -22,6 +22,15 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
    ``pip --version``.


+.. _release-6.1.5:
+
+6.1.5
+-----
+
+6.1.5 is a security release, fixing one vulnerability:
+
+- Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned)
+
 .. _release-6.1.4:

 6.1.4
--- a/notebook/_version.py
+++ b/notebook/_version.py
@ -9,5 +9,5 @@ store the current version info of the notebook.

 # Next beta/alpha/rc release: The version number for beta is X.Y.ZbN **without dots**.

-version_info = (6, 1, 4)
+version_info = (6, 1, 5)
 __version__ = '.'.join(map(str, version_info[:3])) + ''.join(version_info[3:])
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -854,13 +854,18 @@ class APIVersionHandler(APIHandler):

 class TrailingSlashHandler(web.RequestHandler):
    """Simple redirect handler that strips trailing slashes
-    
+
    This should be the first, highest priority handler.
    """
-    
+
    def get(self):
-        self.redirect(self.request.uri.rstrip('/'))
-    
+        path, *rest = self.request.uri.partition("?")
+        # trim trailing *and* leading /
+        # to avoid misinterpreting repeated '//'
+        path = "/" + path.strip("/")
+        new_uri = "".join([path, *rest])
+        self.redirect(new_uri)
+
    post = put = get


@ -911,6 +916,7 @@ class RedirectWithParams(web.RequestHandler):
        url = sep.join([self._url, self.request.query])
        self.redirect(url, permanent=self._permanent)

+
 class PrometheusMetricsHandler(IPythonHandler):
    """
    Return prometheus metrics for this notebook server
--- a/notebook/static/base/js/namespace.js
+++ b/notebook/static/base/js/namespace.js
@ -73,7 +73,7 @@ define(function(){
    // tree
    jglobal('SessionList','tree/js/sessionlist');

-    Jupyter.version = "6.1.4";
+    Jupyter.version = "6.1.5";
    Jupyter._target = '_blank';

    return Jupyter;
--- a/notebook/tests/test_paths.py
+++ b/notebook/tests/test_paths.py
@ -3,10 +3,13 @@ import re
 from nose.tools import assert_regex, assert_not_regex

 from notebook.base.handlers import path_regex
+from notebook.utils import url_path_join
+from .launchnotebook import NotebookTestBase

 # build regexps that tornado uses:
 path_pat = re.compile('^' + '/x%s' % path_regex + '$')

+
 def test_path_regex():
    for path in (
        '/x',
@ -30,3 +33,18 @@ def test_path_regex_bad():
        '/y/x/foo',
    ):
        assert_not_regex(path, path_pat)
+
+
+class RedirectTestCase(NotebookTestBase):
+    def test_trailing_slash(self):
+        for uri, expected in (
+            ("/notebooks/mynotebook/", "/notebooks/mynotebook"),
+            ("////foo///", "/foo"),
+            ("//example.com/", "/example.com"),
+            ("/has/param/?hasparam=true", "/has/param?hasparam=true"),
+        ):
+            r = self.request("GET", uri, allow_redirects=False)
+            print(uri, expected)
+            assert r.status_code == 302
+            assert "Location" in r.headers
+            assert r.headers["Location"] == url_path_join(self.url_prefix, expected)
Author	SHA1	Message	Date
Min RK	e946154112	Release 6.1.5	5 years ago
Min RK	3cec4bbe21	Merge pull request from GHSA-c7vm-f5p4-8fqh [6.x] Fix GHSA-c7vm-f5p4-8fqh	5 years ago
Min RK	73bd15e4f3	changelog for 6.1.5	5 years ago
Min RK	2e1c56b0c4	Validate redirect target in TrailingSlashHandler Fixes open redirect vulnerability GHSA-c7vm-f5p4-8fqh	5 years ago