diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2023-05-22 10:40:50 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-22 10:40:50 (GMT) |
| commit | b53d0ff4312cc2a67b9c5752844b140c08514648 (patch) | |
| tree | 3deb249e119fac73e382c2637e8a985068872773 | |
| parent | d1645ce4f1075d0a6ce051aa10f54f35489aa605 (diff) | |
| download | cpython-b53d0ff4312cc2a67b9c5752844b140c08514648.zip cpython-b53d0ff4312cc2a67b9c5752844b140c08514648.tar.gz cpython-b53d0ff4312cc2a67b9c5752844b140c08514648.tar.bz2 | |
[3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104120)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
| -rw-r--r-- | Lib/http/server.py | 2 | ||||
| -rw-r--r-- | Lib/test/test_httpservers.py | 8 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst | 2 |
3 files changed, 11 insertions, 1 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index cf8933c..969df73 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -791,7 +791,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler): displaypath = urllib.parse.unquote(self.path, errors='surrogatepass') except UnicodeDecodeError: - displaypath = urllib.parse.unquote(path) + displaypath = urllib.parse.unquote(self.path) displaypath = html.escape(displaypath, quote=False) enc = sys.getfilesystemencoding() title = 'Directory listing for %s' % displaypath diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index db9ee29..153206d 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -415,6 +415,14 @@ class SimpleHTTPServerTestCase(BaseTestCase): self.check_status_and_reason(response, HTTPStatus.OK, data=support.TESTFN_UNDECODABLE) + def test_undecodable_parameter(self): + # sanity check using a valid parameter + response = self.request(self.base_url + '/?x=123').read() + self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1')) + # now the bogus encoding + response = self.request(self.base_url + '/?x=%bb').read() + self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1')) + def test_get_dir_redirect_location_domain_injection_bug(self): """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. diff --git a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst new file mode 100644 index 0000000..969deb2 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst @@ -0,0 +1,2 @@ +Do not expose the local on-disk location in directory indexes +produced by :class:`http.client.SimpleHTTPRequestHandler`. |