bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) (#2860)

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f1f1e2d8811733fb952c9f18d7da3a376a)
(cherry picked from commit 6f6bc1da8aaae52664e7747e328d26eb59c0e74f)

1 files changed, 19 insertions, 0 deletions

diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index be5d8de..326d2b2 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -12,6 +12,7 @@ import os
 import sys
 import re
 import base64
+import ntpath
 import shutil
 import urllib.parse
 import http.client
@@ -703,6 +704,24 @@ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
         path = self.handler.translate_path('//filename?foo=bar')
         self.assertEqual(path, self.translated)
 
+    def test_windows_colon(self):
+        with support.swap_attr(server.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
 
 def test_main(verbose=None):
     cwd = os.getcwd()