8000 bpo-26657: Fix Windows directory traversal vulnerability with http.se… · stackless-dev/stackless@6f6bc1d · GitHub
[go: up one dir, main page]
Skip to content
8000
This repository was archived by the owner on Feb 13, 2025. It is now read-only.

Commit 6f6bc1d

Browse files
vstinnerlarryhastings
vstinner
authored and
larryhastings
committed
bpo-26657: Fix Windows directory traversal vulnerability with http.server (python#782)
Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47. (cherry picked from commit d274b3f)
1 parent cc54c1c commit 6f6bc1d

File tree

3 files changed

+25
-3
lines changed

3 files changed

+25
-3
lines changed

Lib/http/server.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -817,9 +817,9 @@ def translate_path(self, path):
817817
words = filter(None, words)
818818
path = os.getcwd()
819819
for word in words:
820-
drive, word = os.path.splitdrive(word)
821-
head, word = os.path.split(word)
822-
if word in (os.curdir, os.pardir): continue
820+
if os.path.dirname(word) or word in (os.curdir, os.pardir):
821+
# Ignore components that are not a simple file/directory name
822+
continue
823823
path = os.path.join(path, word)
824824
if trailing_slash:
825825
path += '/'

Lib/test/test_httpservers.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
import sys
1313
import re
1414
import base64
15+
import ntpath
1516
import shutil
1617
import urllib.parse
1718
import html
@@ -829,6 +830,24 @@ def test_start_with_double_slash(self):
829830
path = self.handler.translate_path('//filename?foo=bar')
830831
self.assertEqual(path, self.translated)
831832

833+
def test_windows_colon(self):
834+
with support.swap_attr(server.os, 'path', ntpath):
835+
path = self.handler.translate_path('c:c:c:foo/filename')
836+
path = path.replace(ntpath.sep, os.sep)
837+
self.assertEqual(path, self.translated)
838+
839+
path = self.handler.translate_path('\\c:../filename')
840+
path = path.replace(ntpath.sep, os.sep)
841+
self.assertEqual(path, self.translated)
842+
843+
path = self.handler.translate_path('c:\\c:..\\foo/filename')
844+
path = path.replace(ntpath.sep, os.sep)
845+
self.assertEqual(path, self.translated)
846+
847+
path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
848+
path = path.replace(ntpath.sep, os.sep)
849+
self.assertEqual(path, self.translated)
850+
832851

833852
class MiscTestCase(unittest.TestCase):
834853
def test_all(self):

Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
Fix directory traversal vulnerability with http.server on Windows. This
2+
fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
3+
patch by Philipp Hagemeister.

0 commit comments

Comments
 (0)
0