diff options
| author | Victor Stinner <victor.stinner@gmail.com> | 2017-07-12 14:52:04 +0200 |
|---|---|---|
| committer | larryhastings <larry@hastings.org> | 2017-07-12 14:52:04 +0200 |
| commit | 6f6bc1da8aaae52664e7747e328d26eb59c0e74f (patch) | |
| tree | 01e1710ceda12d134b740140b31bd9834c5f6aa4 | |
| parent | cc54c1c0d2d05fe7404ba64c53df4b1352ed2262 (diff) | |
| download | cpython-6f6bc1da8aaae52664e7747e328d26eb59c0e74f.tar.gz cpython-6f6bc1da8aaae52664e7747e328d26eb59c0e74f.zip | |
bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782)
Based on patch by Philipp Hagemeister. This fixes a regression caused by
revision f4377699fd47.
(cherry picked from commit d274b3f1f1e2d8811733fb952c9f18d7da3a376a)
| -rw-r--r-- | Lib/http/server.py | 6 | ||||
| -rw-r--r-- | Lib/test/test_httpservers.py | 19 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst | 3 |
3 files changed, 25 insertions, 3 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index 4688096b31c..2cfd3172a13 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -817,9 +817,9 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler): words = filter(None, words) path = os.getcwd() for word in words: - drive, word = os.path.splitdrive(word) - head, word = os.path.split(word) - if word in (os.curdir, os.pardir): continue + if os.path.dirname(word) or word in (os.curdir, os.pardir): + # Ignore components that are not a simple file/directory name + continue path = os.path.join(path, word) if trailing_slash: path += '/' diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index 6e5f2db7fdd..64a57657031 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -12,6 +12,7 @@ import os import sys import re import base64 +import ntpath import shutil import urllib.parse import html @@ -829,6 +830,24 @@ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): path = self.handler.translate_path('//filename?foo=bar') self.assertEqual(path, self.translated) + def test_windows_colon(self): + with support.swap_attr(server.os, 'path', ntpath): + path = self.handler.translate_path('c:c:c:foo/filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + + path = self.handler.translate_path('\\c:../filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + + path = self.handler.translate_path('c:\\c:..\\foo/filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + + path = self.handler.translate_path('c:c:foo\\c:c:bar/filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + class MiscTestCase(unittest.TestCase): def test_all(self): diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst new file mode 100644 index 00000000000..ac1dc14d061 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst @@ -0,0 +1,3 @@ +Fix directory traversal vulnerability with http.server on Windows. This +fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on +patch by Philipp Hagemeister. |