0.9.6

Changelog for 0.9.6
replace 0.9.5 which has only a partial fix issue is now confirmed to affect all browsers
2025-10-11 20:13:02 +00:00 · 2019-04-01 12:17:49 +02:00 · 2019-04-01 12:17:40 +02:00 · 2019-04-01 12:12:15 +02:00 · 2019-04-01 12:06:49 +02:00 · 2019-03-28 13:00:09 +01:00
6 changed files with 42 additions and 9 deletions
--- a/docs/source/changelog.md
+++ b/docs/source/changelog.md
@@ -9,6 +9,14 @@ command line for details.
 ## 0.9
 ### [0.9.6] 2019-04-01
 JupyterHub 0.9.6 is a security release.
 - Fixes an Open Redirect vulnerability (CVE-2019-10255).
 JupyterHub 0.9.5 included a partial fix for this issue.
 ### [0.9.4] 2018-09-24
 JupyterHub 0.9.4 is a small bugfix release.
@@ -426,7 +434,8 @@ Fix removal of `/login` page in 0.4.0, breaking some OAuth providers.
 First preview release
-[Unreleased]: https://github.com/jupyterhub/jupyterhub/compare/0.9.4...HEAD
+[Unreleased]: https://github.com/jupyterhub/jupyterhub/compare/0.9.6...HEAD
 [0.9.6]: https://github.com/jupyterhub/jupyterhub/compare/0.9.4...0.9.6
 [0.9.4]: https://github.com/jupyterhub/jupyterhub/compare/0.9.3...0.9.4
 [0.9.3]: https://github.com/jupyterhub/jupyterhub/compare/0.9.2...0.9.3
 [0.9.2]: https://github.com/jupyterhub/jupyterhub/compare/0.9.1...0.9.2
--- a/hooks/post_push
+++ b/hooks/post_push
@@ -12,8 +12,11 @@ function get_hub_version() {
  split=( ${hub_xyz//./ } )
  hub_xy="${split[0]}.${split[1]}"
  # add .dev on hub_xy so it's 1.0.dev
-  if [[ ! -z "${split[3]}" ]]; then
+  if [[ ! -z "${split[3]:-}" ]]; then
    hub_xy="${hub_xy}.${split[3]}"
    latest=0
  else
    latest=1
  fi
 }
@@ -31,3 +34,11 @@ docker tag $DOCKER_REPO:$DOCKER_TAG $DOCKER_REPO:$hub_xy
 docker push $DOCKER_REPO:$hub_xy
 docker tag $ONBUILD:$DOCKER_TAG $ONBUILD:$hub_xy
 docker push $ONBUILD:$hub_xyz
 # if building a stable release, tag latest as well
 if [[ "$latest" == "1" ]]; then
  docker tag $DOCKER_REPO:$DOCKER_TAG $DOCKER_REPO:latest
  docker push $DOCKER_REPO:latest
  docker tag $ONBUILD:$DOCKER_TAG $ONBUILD:latest
  docker push $ONBUILD:latest
 fi
--- a/jupyterhub/_version.py
+++ b/jupyterhub/_version.py
@@ -6,7 +6,7 @@
 version_info = (
    0,
    9,
-    4,
+    6,
    "",  # release (b1, rc1, or "" for final or dev)
    # "dev",  # dev or nothing
 )
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -427,6 +427,8 @@ class BaseHandler(RequestHandler):
        - else: /hub/home
        """
        next_url = self.get_argument('next', default='')
        # protect against some browsers' buggy handling of backslash as slash
        next_url = next_url.replace('\\', '%5C')
        if (next_url + '/').startswith(
            (
                '%s://%s/' % (self.request.protocol, self.request.host),
@@ -434,15 +436,23 @@ class BaseHandler(RequestHandler):
            )
        ):
            # treat absolute URLs for our host as absolute paths:
            # below, redirects that aren't strictly paths
            parsed = urlparse(next_url)
            next_url = parsed.path
            if parsed.query:
                next_url = next_url + '?' + parsed.query
-            if parsed.hash:
+            if parsed.fragment:
-                next_url = next_url + '#' + parsed.hash
+                next_url = next_url + '#' + parsed.fragment
-        if next_url and (urlparse(next_url).netloc or not next_url.startswith('/')):
+
        # if it still has host info, it didn't match our above check for *this* host
        if next_url and (
            '://' in next_url
            or next_url.startswith('//')
            or not next_url.startswith('/')
        ):
            self.log.warning("Disallowing redirect outside JupyterHub: %r", next_url)
            next_url = ''
        if next_url and next_url.startswith(url_path_join(self.base_url, 'user/')):
            # add /hub/ prefix, to ensure we redirect to the right user's server.
            # The next request will be handled by SpawnHandler,
--- a/jupyterhub/tests/test_pages.py
+++ b/jupyterhub/tests/test_pages.py
@@ -409,10 +409,13 @@ def test_login_strip(app):
        (False, '/has?query#andhash', '/has?query#andhash'),
        # next_url outside is not allowed
        (False, 'relative/path', ''),
        (False, 'https://other.domain', ''),
        (False, 'ftp://other.domain', ''),
        (False, '//other.domain', ''),
-    ]
+        (False, '///other.domain/triple', ''),
        (False, '\\\\other.domain/backslashes', ''),
    ],
 )
@pytest.mark.gen_test
 def test_login_redirect(app, running, next_url, location):
@@ -426,7 +429,7 @@ def test_login_redirect(app, running, next_url, location):
    url = 'login'
    if next_url:
-        if '//' not in next_url:
+        if '//' not in next_url and next_url.startswith('/'):
            next_url = ujoin(app.base_url, next_url, '')
        url = url_concat(url, dict(next=next_url))
--- a/singleuser/hooks/post_push
+++ b/singleuser/hooks/post_push
@@ -14,7 +14,7 @@ function get_hub_version() {
  split=( ${hub_xyz//./ } )
  hub_xy="${split[0]}.${split[1]}"
  # add .dev on hub_xy so it's 1.0.dev
-  if [[ ! -z "${split[3]}" ]]; then
+  if [[ ! -z "${split[3]:-}" ]]; then
    hub_xy="${hub_xy}.${split[3]}"
  fi
 }
Author	SHA1	Message	Date
Min RK	5980ff1011	0.9.6	2019-04-01 12:17:49 +02:00
Min RK	2e8781c35b	Changelog for 0.9.6 replace 0.9.5 which has only a partial fix issue is now confirmed to affect all browsers	2019-04-01 12:17:40 +02:00
Min RK	3f1332e38f	Further login redirect validation	2019-04-01 12:12:15 +02:00
Min RK	db851cd230	Merge pull request #2488 from minrk/post_push Docker hook fixes	2019-04-01 12:06:49 +02:00
Min RK	8c8e26802a	fix unbound variable in post_push	2019-03-28 13:00:09 +01:00
Min RK	6a4900c468	release 0.9.5	2019-03-28 11:07:09 +01:00
Min RK	efbb692540	changelog for 0.9.5	2019-03-28 11:04:00 +01:00
Min RK	244ab813fe	protect against some browsers' buggy handling of backslash as slash	2019-03-28 10:30:36 +01:00