Merge pull request #345 from jupyter/1.0.x

Zsailer · web-flow · commit 782230e4a7cc · 2020-11-18T11:07:00.000-08:00
Apply security advisory fix to master
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.6] - 2020-11-18
+
+1.0.6 is a security release, fixing one vulnerability:
+
+### Changed
+
+- Fix open redirect vulnerability GHSA-grfj-wjv9-4f9v (CVE-2020-26232)
+
+
 ## [1.0] - 2020-9-18
 
 ### Added.
diff --git a/docs/source/other/changelog.rst b/docs/source/other/changelog.rst
@@ -21,6 +21,15 @@ We strongly recommend that you upgrade to version 9+ of pip before upgrading ``j
     Use ``pip install pip --upgrade`` to upgrade pip. Check pip version with
     ``pip --version``.
 
+.. _release-1.0.6:
+
+1.0.6
+-----
+
+1.0.6 is a security release, fixing one vulnerability:
+
+- Fix open redirect vulnerability GHSA-grfj-wjv9-4f9v (CVE-2020-26232)
+
 .. _release-1.0.0:
 
 1.0.0
diff --git a/jupyter_server/_version.py b/jupyter_server/_version.py
@@ -9,5 +9,5 @@
 
 # Next beta/alpha/rc release: The version number for beta is X.Y.ZbN **without dots**.
 
-version_info = (1, 0, 5, '')
+version_info = (1, 0, 6, '')
 __version__ = '.'.join(map(str, version_info[:3])) + ''.join(version_info[3:])
diff --git a/jupyter_server/base/handlers.py b/jupyter_server/base/handlers.py
@@ -776,9 +776,12 @@ class TrailingSlashHandler(web.RequestHandler):
     """
 
     def get(self):
-        uri = self.request.path.rstrip("/")
-        if uri:
-            self.redirect('?'.join((uri, self.request.query)))
+        path, *rest = self.request.uri.partition("?")
+        # trim trailing *and* leading /
+        # to avoid misinterpreting repeated '//'
+        path = "/" + path.strip("/")
+        new_uri = "".join([path, *rest])
+        self.redirect(new_uri)
 
     post = put = get
 
diff --git a/tests/test_paths.py b/tests/test_paths.py
@@ -1,5 +1,6 @@
 import re
-
+import pytest
+import tornado
 from jupyter_server.base.handlers import path_regex
 
 
@@ -29,3 +30,28 @@ def test_path_regex_bad():
         '/y/x/foo',
     ):
         assert re.match(path_pat, path) is None
+
+
+@pytest.mark.parametrize(
+    'uri,expected',
+    [
+        ("/notebooks/mynotebook/", "/notebooks/mynotebook"),
+        ("////foo///", "/foo"),
+        ("//example.com/", "/example.com"),
+        ("/has/param/?hasparam=true", "/has/param?hasparam=true"),
+    ]
+)
+async def test_trailing_slash(uri, expected, http_server_client, auth_header, base_url):
+    # http_server_client raises an exception when follow_redirects=False
+    with pytest.raises(tornado.httpclient.HTTPClientError) as err:
+        await http_server_client.fetch(
+            uri,
+            headers=auth_header,
+            request_timeout=20,
+            follow_redirects=False
+        )
+    # Capture the response from the raised exception value.
+    response = err.value.response
+    assert response.code == 302
+    assert "Location" in response.headers
+    assert response.headers["Location"] == expected
