[Python-checkins] cpython (2.7): Issue #26657: Fix SimpleHTTPServer Windows directory traversal vulnerability

martin.panter python-checkins at python.org
Mon Apr 18 04:02:43 EDT 2016


https://hg.python.org/cpython/rev/8aa032b26552
changeset:   101047:8aa032b26552
branch:      2.7
parent:      101037:bbcde8db4dc4
user:        Martin Panter <vadmium+py at gmail.com>
date:        Mon Apr 18 03:45:18 2016 +0000
summary:
  Issue #26657: Fix SimpleHTTPServer Windows directory traversal vulnerability

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision 6b314f5c9404.

files:
  Lib/SimpleHTTPServer.py      |   6 +++---
  Lib/test/test_httpservers.py |  20 ++++++++++++++++++++
  Misc/NEWS                    |   4 ++++
  3 files changed, 27 insertions(+), 3 deletions(-)


diff --git a/Lib/SimpleHTTPServer.py b/Lib/SimpleHTTPServer.py
--- a/Lib/SimpleHTTPServer.py
+++ b/Lib/SimpleHTTPServer.py
@@ -167,9 +167,9 @@
         words = filter(None, words)
         path = os.getcwd()
         for word in words:
-            drive, word = os.path.splitdrive(word)
-            head, word = os.path.split(word)
-            if word in (os.curdir, os.pardir): continue
+            if os.path.dirname(word) or word in (os.curdir, os.pardir):
+                # Ignore components that are not a simple file/directory name
+                continue
             path = os.path.join(path, word)
         if trailing_slash:
             path += '/'
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -8,6 +8,7 @@
 import sys
 import re
 import base64
+import ntpath
 import shutil
 import urllib
 import httplib
@@ -604,6 +605,25 @@
         path = self.handler.translate_path('//filename?foo=bar')
         self.assertEqual(path, self.translated)
 
+    def test_windows_colon(self):
+        import SimpleHTTPServer
+        with test_support.swap_attr(SimpleHTTPServer.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
 
 def test_main(verbose=None):
     try:
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -77,6 +77,10 @@
 Library
 -------
 
+- Issue #26657: Fix directory traversal vulnerability with SimpleHTTPServer
+  on Windows.  This fixes a regression that was introduced in 2.7.7.  Based
+  on patch by Philipp Hagemeister.
+
 - Issue #19377: Add .svg to mimetypes.types_map.
 
 - Issue #13952: Add .csv to mimetypes.types_map.  Patch by Geoff Wilson.

-- 
Repository URL: https://hg.python.org/cpython


More information about the Python-checkins mailing list