Issue #26657: Fix Windows directory traversal vulnerability with http… · python/cpython@d274b3f (original) (raw)
3 files changed
lines changed
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -774,9 +774,9 @@ def translate_path(self, path): | ||
| 774 | 774 | words = filter(None, words) |
| 775 | 775 | path = os.getcwd() |
| 776 | 776 | for word in words: |
| 777 | -drive, word = os.path.splitdrive(word) | |
| 778 | -head, word = os.path.split(word) | |
| 779 | -if word in (os.curdir, os.pardir): continue | |
| 777 | +if os.path.dirname(word) or word in (os.curdir, os.pardir): | |
| 778 | + # Ignore components that are not a simple file/directory name | |
| 779 | + continue | |
| 780 | 780 | path = os.path.join(path, word) |
| 781 | 781 | if trailing_slash: |
| 782 | 782 | path += '/' |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -12,6 +12,7 @@ | ||
| 12 | 12 | import sys |
| 13 | 13 | import re |
| 14 | 14 | import base64 |
| 15 | +import ntpath | |
| 15 | 16 | import shutil |
| 16 | 17 | import urllib.parse |
| 17 | 18 | import html |
| @@ -918,6 +919,24 @@ def test_start_with_double_slash(self): | ||
| 918 | 919 | path = self.handler.translate_path('//filename?foo=bar') |
| 919 | 920 | self.assertEqual(path, self.translated) |
| 920 | 921 | |
| 922 | +def test_windows_colon(self): | |
| 923 | +with support.swap_attr(server.os, 'path', ntpath): | |
| 924 | +path = self.handler.translate_path('c:c:c:foo/filename') | |
| 925 | +path = path.replace(ntpath.sep, os.sep) | |
| 926 | +self.assertEqual(path, self.translated) | |
| 927 | + | |
| 928 | +path = self.handler.translate_path('\\c:../filename') | |
| 929 | +path = path.replace(ntpath.sep, os.sep) | |
| 930 | +self.assertEqual(path, self.translated) | |
| 931 | + | |
| 932 | +path = self.handler.translate_path('c:\\c:..\\foo/filename') | |
| 933 | +path = path.replace(ntpath.sep, os.sep) | |
| 934 | +self.assertEqual(path, self.translated) | |
| 935 | + | |
| 936 | +path = self.handler.translate_path('c:c:foo\\c:c:bar/filename') | |
| 937 | +path = path.replace(ntpath.sep, os.sep) | |
| 938 | +self.assertEqual(path, self.translated) | |
| 939 | + | |
| 921 | 940 | |
| 922 | 941 | class MiscTestCase(unittest.TestCase): |
| 923 | 942 | def test_all(self): |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -107,6 +107,10 @@ Core and Builtins | ||
| 107 | 107 | Library |
| 108 | 108 | ------- |
| 109 | 109 | |
| 110 | +- Issue #26657: Fix directory traversal vulnerability with http.server on | |
| 111 | + Windows. This fixes a regression that was introduced in 3.3.4rc1 and | |
| 112 | + 3.4.0rc1. Based on patch by Philipp Hagemeister. | |
| 113 | + | |
| 110 | 114 | - Issue #26717: Stop encoding Latin-1-ized WSGI paths with UTF-8. Patch by |
| 111 | 115 | Anthony Sottile. |
| 112 | 116 |