8000 Issue #26657: Fix Windows directory traversal vulnerability with http… · python/cpython@d274b3f · GitHub
[go: up one dir, main page]
Skip to content

Commit d274b3f

Browse files
vadmiumvadmium
committed
Issue #26657: Fix Windows directory traversal vulnerability with http.server
Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47.
1 parent 6aafbd4 commit d274b3f

File tree

3 files changed

+26
-3
lines changed

3 files changed

+26
-3
lines changed

Lib/http/server.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -774,9 +774,9 @@ def translate_path(self, path):
774774
words = filter(None, words)
775775
path = os.getcwd()
776776
for word in words:
777-
drive, word = os.path.splitdrive(word)
778-
head, word = os.path.split(word)
779-
if word in (os.curdir, os.pardir): continue
777+
if os.path.dirname(word) or word in (os.curdir, os.pardir):
778+
# Ignore components that are not a simple file/directory name
779+
continue
780780
path = os.path.join(path, word)
781781
if trailing_slash:
782782
path += '/'

Lib/test/test_httpservers.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
import sys
1313
import re
1414
import base64
15+
import ntpath
1516
import shutil
1617
import urllib.parse
1718
import html
@@ -918,6 +919,24 @@ def test_start_with_double_slash(self):
918919
path = self.handler.translate_path('//filename?foo=bar')
919920
self.assertEqual(path, self.translated)
920921

922+
def test_windows_colon(self):
923+
with support.swap_attr(server.os, 'path', ntpath):
924+
path = self.handler.translate_path('c:c:c:foo/filename')
925+
path = path.replace(ntpath.sep, os.sep)
926+
self.assertEqual(path, self.translated)
927+
928+
path = self.handler.translate_path('\\c:../filename')
929+
path = path.replace(ntpath.sep, os.sep)
930+
self.assertEqual(path, self.translated)
931+
932+
path = self.handler.translate_path('c:\\c:..\\foo/filename')
933+
path = path.replace(ntpath.sep, os.sep)
934+
self.assertEqual(path, self.translated)
935+
936+
path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
937+
path = path.replace(ntpath.sep, os.sep)
938+
self.assertEqual(path, self.translated)
939+
921940

922941
class MiscTestCase(unittest.TestCase):
923942
def test_all(self):

Misc/NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,10 @@ Core and Builtins
107107
Library
108108
-------
109109

110+
- Issue #26657: Fix directory traversal vulnerability with http.server on
111+
Windows. This fixes a regression that was introduced in 3.3.4rc1 and
112+
3.4.0rc1. Based on patch by Philipp Hagemeister.
113+
110114
- Issue #26717: Stop encoding Latin-1-ized WSGI paths with UTF-8. Patch by
111115
Anthony Sottile.
112116

0 commit comments

Comments
 (0)
0