bpo-43223: Fix Open Redirection In http.server module

Fix an open redirection vulnerability in the HTTP server when a URL contains ``//``.
Added test case for bpo-43223 patch

Author: hamzaavvan

Lib/http/server.py

@@ -101,6 +101,7 @@
 import socket # For gethostbyaddr()
 import socketserver
 import sys
+import re
 import time
 import urllib.parse
 import contextlib
@@ -332,6 +333,12 @@ def parse_request(self):
                 return False
         self.command, self.path = command, path
 
+        # bpo-43223: The purpose of replacing '//' with '/' is to protect against 
+        # open redirect attacks reside within http.server module which can be triggered
+        # if the path contains '//' at the beginning because web clients treat //path as
+        # an absolute url without scheme (similar to http://path) rather than a relative path
+        self.path = re.sub(r'^(/)+', '/', self.path)
+
         # Examine the headers and look for a Connection directive.
         try:
             self.headers = http.client.parse_headers(self.rfile,

Lib/test/test_http/test_http.py

@@ -0,0 +1,11 @@
+import unittest
+import re
+
+class TestHTTP(unittest.TestCase):
+
+    def test_http_parse_request(self):
+        self.assertEqual(re.sub(r'^/+', '/', '//test.com'), '/test.com', '//test.com should be converted to a proper relative path')
+        self.assertEqual(re.sub(r'^/+', '/', '///test.com'), '/test.com', '///test.com should be converted to a proper relative path')
+
+if __name__ == '__main__':
+    unittest.main()

Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst

@@ -0,0 +1,2 @@
+:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server when an URL contains ``//``.
+Vulnerability discovered and fixed by Hamza Avvan.