bpo-26657: Fix Windows directory traversal vulnerability with http.se… · python/cpython@7b92f9f (original) (raw)

File tree

3 files changed

lines changed

3 files changed

lines changed

Original file line number Diff line number Diff line change
@@ -793,9 +793,9 @@ def translate_path(self, path):
793 793 words = filter(None, words)
794 794 path = os.getcwd()
795 795 for word in words:
796 -drive, word = os.path.splitdrive(word)
797 -head, word = os.path.split(word)
798 -if word in (os.curdir, os.pardir): continue
796 +if os.path.dirname(word) or word in (os.curdir, os.pardir):
797 + # Ignore components that are not a simple file/directory name
798 + continue
799 799 path = os.path.join(path, word)
800 800 if trailing_slash:
801 801 path += '/'
Original file line number Diff line number Diff line change
@@ -12,6 +12,7 @@
12 12 import sys
13 13 import re
14 14 import base64
15 +import ntpath
15 16 import shutil
16 17 import urllib.parse
17 18 import http.client
@@ -703,6 +704,24 @@ def test_start_with_double_slash(self):
703 704 path = self.handler.translate_path('//filename?foo=bar')
704 705 self.assertEqual(path, self.translated)
705 706
707 +def test_windows_colon(self):
708 +with support.swap_attr(server.os, 'path', ntpath):
709 +path = self.handler.translate_path('c:c:c:foo/filename')
710 +path = path.replace(ntpath.sep, os.sep)
711 +self.assertEqual(path, self.translated)
712 +
713 +path = self.handler.translate_path('\\c:../filename')
714 +path = path.replace(ntpath.sep, os.sep)
715 +self.assertEqual(path, self.translated)
716 +
717 +path = self.handler.translate_path('c:\\c:..\\foo/filename')
718 +path = path.replace(ntpath.sep, os.sep)
719 +self.assertEqual(path, self.translated)
720 +
721 +path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
722 +path = path.replace(ntpath.sep, os.sep)
723 +self.assertEqual(path, self.translated)
724 +
706 725
707 726 def test_main(verbose=None):
708 727 cwd = os.getcwd()
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
1 +Fix directory traversal vulnerability with http.server on Windows. This
2 +fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
3 +patch by Philipp Hagemeister.