Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-31 13:41:24 +00:00
Code Issues Projects Releases Packages Wiki Activity

Issue #26657: Merge http.server fix from 3.5

Browse source
This commit is contained in:
Martin Panter 2016-04-18 07:16:17 +00:00
commit 791ac54a44
3 changed files with 26 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Lib/http/server.py
View file

@ -768,9 +768,9 @@ def translate_path(self, path):
words = filter(None, words) words = filter(None, words)
path = os.getcwd() path = os.getcwd()
for word in words: for word in words:
drive, word = os.path.splitdrive(word) if os.path.dirname(word) or word in (os.curdir, os.pardir):
head, word = os.path.split(word) # Ignore components that are not a simple file/directory name
if word in (os.curdir, os.pardir): continue continue
path = os.path.join(path, word) path = os.path.join(path, word)
if trailing_slash: if trailing_slash:
path += '/' path += '/'

19
Lib/test/test_httpservers.py
View file

@ -12,6 +12,7 @@
import sys import sys
import re import re
import base64 import base64
import ntpath
import shutil import shutil
import urllib.parse import urllib.parse
import html import html
@ -960,6 +961,24 @@ def test_start_with_double_slash(self):
path = self.handler.translate_path('//filename?foo=bar') path = self.handler.translate_path('//filename?foo=bar')
self.assertEqual(path, self.translated) self.assertEqual(path, self.translated)
def test_windows_colon(self):
with support.swap_attr(server.os, 'path', ntpath):
path = self.handler.translate_path('c:c:c:foo/filename')
path = path.replace(ntpath.sep, os.sep)
self.assertEqual(path, self.translated)
path = self.handler.translate_path('\\c:../filename')
path = path.replace(ntpath.sep, os.sep)
self.assertEqual(path, self.translated)
path = self.handler.translate_path('c:\\c:..\\foo/filename')
path = path.replace(ntpath.sep, os.sep)
self.assertEqual(path, self.translated)
path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
path = path.replace(ntpath.sep, os.sep)
self.assertEqual(path, self.translated)
class MiscTestCase(unittest.TestCase): class MiscTestCase(unittest.TestCase):
def test_all(self): def test_all(self):

4
Misc/NEWS
View file

@ -245,6 +245,10 @@ Core and Builtins
Library Library
------- -------
- Issue #26657: Fix directory traversal vulnerability with http.server on
Windows. This fixes a regression that was introduced in 3.3.4rc1 and
3.4.0rc1. Based on patch by Philipp Hagemeister.
- Issue #26717: Stop encoding Latin-1-ized WSGI paths with UTF-8. Patch by - Issue #26717: Stop encoding Latin-1-ized WSGI paths with UTF-8. Patch by
Anthony Sottile. Anthony Sottile.