Skip to content

chore(deps): update dependency webob to v1.8.10 [security]#32

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-webob-vulnerability
Open

chore(deps): update dependency webob to v1.8.10 [security]#32
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-webob-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 27, 2025

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webob ==1.8.7==1.8.10 age adoption passing confidence

WebOb's location header normalization during redirect leads to open redirect

CVE-2024-42353 / GHSA-mg3v-6m49-jhp3

More information

Details

Impact

When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the start of a string as a URI without a scheme, and then treats the next part as the hostname. urljoin will then use that hostname from the second part as the hostname replacing the original one from the request.

>>> parse.urlparse("//example.com/test/path")
ParseResult(scheme='', netloc='example.com', path='/test/path', params='', query='', fragment='')

WebOb uses urljoin to take the request URI and joining the redirect location, so assuming the request URI is: https://example.org//example.com/some/path, and the URL to redirect to (for example by adding a slash automatically) is //example.com/some/path/ that gets turned by urljoin into:

>>> parse.urljoin("https://example.org//attacker.com/some/path", "//attacker.com/some/path/")
'https://attacker.com/some/path/'

Which redirects from example.org where we want the user to stay to attacker.com

Patches

This issue is patched in WebOb 1.8.8

Older versions of WebOb continue to be vulnerable to this issue, and should be avoided.

Workarounds

Any use of the Response class that includes a location can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to.

Thanks
  • Sara Gao

This issue was reported via the Pylons Project Security List

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


WebOb: Location header normalization during redirect leads to open redirect - again

CVE-2026-44889 / GHSA-fh3h-vg37-cc95

More information

Details

Impact

When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urllib.parse, and joining it to the base URL. urlsplit (called internally by urljoin) however treats a // at the start of a string as a URI without a scheme, and then treats the next part as the hostname. urljoin will then use that hostname from the second part as the hostname replacing the original one from the request.

In a previous advisory GHSA-mg3v-6m49-jhp3 an attempt to fix this was made by forcing the replacement of // with /%2f, however this did not take into account that since Python 3.10 urlsplit internally strips ASCII tab, carriage return, and newline characters from the string, so /\t/attacker.com gets turned into //attacker.com and the attacker is able to bypass the changes introduced in that previous advisory, thereby bringing back the problem that was attempted to be fixed.

>>> parse.urlparse("//attacker.com/some/path")
ParseResult(scheme='', netloc='attacker.com', path='/some/path', params='', query='', fragment='')

WebOb uses urljoin to take the request URI and join the redirect location to it, so assuming the request URI is https://example.org/ and the URL to redirect to is /\t/attacker.com/some/path/:

>>> parse.urljoin("https://example.org/", "/\t/attacker.com/some/path/")
'https://attacker.com/some/path/'

Which redirects from example.org where we want the user to stay to attacker.com.

Patches

This issue has been fixed in WebOb 1.8.10.

Workarounds

Any use of the Response class that includes a location can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to, or to validate that the redirect target starts with a scheme (e.g. http:// or https://) before assigning to Response.location.

References
Thanks
  • Caleb Brown of Google

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency webob to v1.8.8 [security] chore(deps): update dependency webob to v1.8.10 [security] Jun 5, 2026
@renovate renovate Bot force-pushed the renovate/pypi-webob-vulnerability branch from c514262 to 8a0e905 Compare June 5, 2026 00:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants