Issue #26657: Merge http.server fix from 3.5

791ac54a · Martin Panter · d2be07e1 · d274b3f1 · 791ac54a · 791ac54a
Commit 791ac54a authored Apr 18, 2016 by Martin Panter
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 3 deletions

Lib/http/server.py Lib/http/server.py +3 -3

Lib/test/test_httpservers.py Lib/test/test_httpservers.py +19 -0

Misc/NEWS Misc/NEWS +4 -0

No files found.
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -768,9 +768,9 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
        words = filter(None, words)
        path = os.getcwd()
        for word in words:
-            drive, word = os.path.splitdrive(word)
-            head, word = os.path.split(word)
-            if word in (os.curdir, os.pardir): continue
+            if os.path.dirname(word) or word in (os.curdir, os.pardir):
+                # Ignore components that are not a simple file/directory name
+                continue
            path = os.path.join(path, word)
        if trailing_slash:
            path += '/'

--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -12,6 +12,7 @@ import os
 import sys
 import re
 import base64
+import ntpath
 import shutil
 import urllib.parse
 import html
@@ -960,6 +961,24 @@ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
        path = self.handler.translate_path('//filename?foo=bar')
        self.assertEqual(path, self.translated)

+    def test_windows_colon(self):
+        with support.swap_attr(server.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+

 class MiscTestCase(unittest.TestCase):
    def test_all(self):

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -245,6 +245,10 @@ Core and Builtins
 Library
 -------

+- Issue #26657: Fix directory traversal vulnerability with http.server on
+  Windows.  This fixes a regression that was introduced in 3.3.4rc1 and
+  3.4.0rc1.  Based on patch by Philipp Hagemeister.
+
 - Issue #26717: Stop encoding Latin-1-ized WSGI paths with UTF-8.  Patch by
  Anthony Sottile.