tornadoweb
diff --git a/‎demos/README.rst‎
Lines changed: 0 additions & 11 deletions b/‎demos/README.rst‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎demos/blog/blog.py‎
Lines changed: 11 additions & 3 deletions b/‎demos/blog/blog.py‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎demos/blog/templates/base.html‎
Lines changed: 27 additions & 23 deletions b/‎demos/blog/templates/base.html‎
Lines changed: 27 additions & 23 deletions
diff --git a/‎demos/chat/chatdemo.py‎
Lines changed: 6 additions & 2 deletions b/‎demos/chat/chatdemo.py‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎demos/facebook/facebook.py‎
Lines changed: 3 additions & 9 deletions b/‎demos/facebook/facebook.py‎
Lines changed: 3 additions & 9 deletions
@@ -5,16 +5,6 @@ This directory contains several example apps that illustrate the usage of
 various Tornado features. If you're not sure where to start, try the ``chat``,
 ``blog``, or ``websocket`` demos.
 
-.. note::
-
-    These applications require features due to be introduced in Tornado 6.3
-    which is not yet released. Unless you are testing the new release,
-    use the GitHub branch selector to access the ``stable`` branch
-    (or the ``branchX.y`` branch corresponding to the version of Tornado you
-    are using) to get a suitable version of the demos.
-
-    TODO: remove this when 6.3 ships.
-
 Web Applications
 ~~~~~~~~~~~~~~~~
 
@@ -24,7 +14,6 @@ Web Applications
 - ``websocket``: Similar to ``chat`` but with WebSockets instead of
   long polling.
 - ``helloworld``: The simplest possible Tornado web page.
-- ``s3server``: Implements a basic subset of the Amazon S3 API.
 
 Feature demos
 ~~~~~~~~~~~~~
 
@@ -132,6 +132,14 @@ async def prepare(self):
     async def any_author_exists(self):
         return bool(await self.query("SELECT * FROM authors LIMIT 1"))
 
+    def redirect_to_next(self):
+        next = self.get_argument("next", "/")
+        if next.startswith("//") or not next.startswith("/"):
+            # Absolute URLs are not allowed because this would be an open redirect
+            # vulnerability (https://cwe.mitre.org/data/definitions/601.html).
+            raise tornado.web.HTTPError(400)
+        self.redirect(next)
+
 
 class HomeHandler(BaseHandler):
     async def get(self):
@@ -243,7 +251,7 @@ async def post(self):
             tornado.escape.to_unicode(hashed_password),
         )
         self.set_signed_cookie("blogdemo_user", str(author.id))
-        self.redirect(self.get_argument("next", "/"))
+        self.redirect_to_next()
 
 
 class AuthLoginHandler(BaseHandler):
@@ -270,15 +278,15 @@ async def post(self):
         )
         if password_equal:
             self.set_signed_cookie("blogdemo_user", str(author.id))
-            self.redirect(self.get_argument("next", "/"))
+            self.redirect_to_next()
         else:
             self.render("login.html", error="incorrect password")
 
 
 class AuthLogoutHandler(BaseHandler):
     def get(self):
         self.clear_cookie("blogdemo_user")
-        self.redirect(self.get_argument("next", "/"))
+        self.redirect_to_next()
 
 
 class EntryModule(tornado.web.UIModule):
 
@@ -1,27 +1,31 @@
 <!DOCTYPE html>
 <html>
-  <head>
-    <meta charset="UTF-8">
-    <title>{{ escape(handler.settings["blog_title"]) }}</title>
-    <link rel="stylesheet" href="{{ static_url("blog.css") }}" type="text/css">
-    <link rel="alternate" href="/feed" type="application/atom+xml" title="{{ escape(handler.settings["blog_title"]) }}">
-    {% block head %}{% end %}
-  </head>
-  <body>
-    <div id="body">
-      <div id="header">
-        <div style="float:right">
-          {% if current_user %}
-            <a href="/compose">{{ _("New post") }}</a> -
-            <a href="/auth/logout?next={{ url_escape(request.uri) }}">{{ _("Sign out") }}</a>
-          {% else %}
-            {% raw _('<a href="%(url)s">Sign in</a> to compose/edit') % {"url": "/auth/login?next=" + url_escape(request.uri)} %}
-          {% end %}
-        </div>
-        <h1><a href="/">{{ escape(handler.settings["blog_title"]) }}</a></h1>
+
+<head>
+  <meta charset="UTF-8">
+  <title>{{ escape(handler.settings["blog_title"]) }}</title>
+  <link rel="stylesheet" href="{{ static_url(" blog.css") }}" type="text/css">
+  <link rel="alternate" href="/feed" type="application/atom+xml" title="{{ escape(handler.settings[" blog_title"]) }}">
+  {% block head %}{% end %}
+</head>
+
+<body>
+  <div id="body">
+    <div id="header">
+      <div style="float:right">
+        {% if current_user %}
+        <a href="/compose">{{ _("New post") }}</a> -
+        <a href="/auth/logout?next={{ url_escape(request.path) }}">{{ _("Sign out") }}</a>
+        {% else %}
+        {% raw _('<a href="%(url)s">Sign in</a> to compose/edit') % {"url": "/auth/login?next=" +
+        url_escape(request.path)} %}
+        {% end %}
       </div>
-      <div id="content">{% block body %}{% end %}</div>
+      <h1><a href="/">{{ escape(handler.settings["blog_title"]) }}</a></h1>
     </div>
-    {% block bottom %}{% end %}
-  </body>
-</html>
+    <div id="content">{% block body %}{% end %}</div>
+  </div>
+  {% block bottom %}{% end %}
+</body>
+
+</html>
@@ -71,8 +71,12 @@ def post(self):
         message["html"] = tornado.escape.to_unicode(
             self.render_string("message.html", message=message)
         )
-        if self.get_argument("next", None):
-            self.redirect(self.get_argument("next"))
+        if next := self.get_argument("next", None):
+            if next.startswith("//") or not next.startswith("/"):
+                # Absolute URLs are not allowed because this would be an open redirect
+                # vulnerability (https://cwe.mitre.org/data/definitions/601.html).
+                raise tornado.web.HTTPError(400)
+            self.redirect(next)
         else:
             self.write(message)
         global_message_buffer.add_message(message)
 
@@ -70,13 +70,7 @@ async def get(self):
 
 class AuthLoginHandler(BaseHandler, tornado.auth.FacebookGraphMixin):
     async def get(self):
-        my_url = (
-            self.request.protocol
-            + "://"
-            + self.request.host
-            + "/auth/login?next="
-            + tornado.escape.url_escape(self.get_argument("next", "/"))
-        )
+        my_url = self.request.protocol + "://" + self.request.host + "/auth/login"
         if self.get_argument("code", False):
             user = await self.get_authenticated_user(
                 redirect_uri=my_url,
@@ -85,7 +79,7 @@ async def get(self):
                 code=self.get_argument("code"),
             )
             self.set_signed_cookie("fbdemo_user", tornado.escape.json_encode(user))
-            self.redirect(self.get_argument("next", "/"))
+            self.redirect("/")
             return
         self.authorize_redirect(
             redirect_uri=my_url,
@@ -97,7 +91,7 @@ async def get(self):
 class AuthLogoutHandler(BaseHandler, tornado.auth.FacebookGraphMixin):
     def get(self):
         self.clear_cookie("fbdemo_user")
-        self.redirect(self.get_argument("next", "/"))
+        self.redirect("/")
 
 
 class PostModule(tornado.web.UIModule):