bpo-26657: Fix Windows directory traversal vulnerability with http.se… · python/cpython@6f6bc1d (original) (raw)

File tree

3 files changed

lines changed

3 files changed

lines changed

Original file line number Diff line number Diff line change
@@ -817,9 +817,9 @@ def translate_path(self, path):
817 817 words = filter(None, words)
818 818 path = os.getcwd()
819 819 for word in words:
820 -drive, word = os.path.splitdrive(word)
821 -head, word = os.path.split(word)
822 -if word in (os.curdir, os.pardir): continue
820 +if os.path.dirname(word) or word in (os.curdir, os.pardir):
821 + # Ignore components that are not a simple file/directory name
822 + continue
823 823 path = os.path.join(path, word)
824 824 if trailing_slash:
825 825 path += '/'
Original file line number Diff line number Diff line change
@@ -12,6 +12,7 @@
12 12 import sys
13 13 import re
14 14 import base64
15 +import ntpath
15 16 import shutil
16 17 import urllib.parse
17 18 import html
@@ -829,6 +830,24 @@ def test_start_with_double_slash(self):
829 830 path = self.handler.translate_path('//filename?foo=bar')
830 831 self.assertEqual(path, self.translated)
831 832
833 +def test_windows_colon(self):
834 +with support.swap_attr(server.os, 'path', ntpath):
835 +path = self.handler.translate_path('c:c:c:foo/filename')
836 +path = path.replace(ntpath.sep, os.sep)
837 +self.assertEqual(path, self.translated)
838 +
839 +path = self.handler.translate_path('\\c:../filename')
840 +path = path.replace(ntpath.sep, os.sep)
841 +self.assertEqual(path, self.translated)
842 +
843 +path = self.handler.translate_path('c:\\c:..\\foo/filename')
844 +path = path.replace(ntpath.sep, os.sep)
845 +self.assertEqual(path, self.translated)
846 +
847 +path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
848 +path = path.replace(ntpath.sep, os.sep)
849 +self.assertEqual(path, self.translated)
850 +
832 851
833 852 class MiscTestCase(unittest.TestCase):
834 853 def test_all(self):
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
1 +Fix directory traversal vulnerability with http.server on Windows. This
2 +fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
3 +patch by Philipp Hagemeister.