Описание
hyper-staticfile's location header incorporates user input, allowing open redirect
When hyper-staticfile performs a redirect for a directory request (e.g. a request for /dir that redirects to /dir/), the Location header value was derived from user input (the request path), simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed performing a scheme-relative redirect instead.
An attacker could craft a special URL that would appear to be for the correct domain, but immediately redirects to a malicious domain. Such a URL can benefit phishing attacks, for example an innocent looking link in an email.
Пакеты
Наименование
hyper-staticfile
rust
Затронутые версииВерсия исправления
< 0.9.4
0.9.4
Наименование
hyper-staticfile
rust
Затронутые версииВерсия исправления
>= 0.10.0-alpha.1, < 0.10.0-alpha.5
0.10.0-alpha.5
Дефекты
CWE-601
Дефекты
CWE-601