[3.10] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104119)

gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2023-05-09 15:21:53 (GMT)
committer: GitHub <noreply@github.com> 2023-05-09 15:21:53 (GMT)
commit: d77e77c363a170f4435cbe826628b6a347654d9e (patch)
tree: cc7ad763e443e31171bf7bc6f6921e0dd33fd0e9 /Lib
parent: e277266a926a9037d39f1af7751050012f7f1998 (diff)
download: cpython-d77e77c363a170f4435cbe826628b6a347654d9e.zip
cpython-d77e77c363a170f4435cbe826628b6a347654d9e.tar.gz
cpython-d77e77c363a170f4435cbe826628b6a347654d9e.tar.bz2
2 files changed, 9 insertions, 1 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 9c218d0..b965c59 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -791,7 +791,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
             displaypath = urllib.parse.unquote(self.path,
                                                errors='surrogatepass')
         except UnicodeDecodeError:
-            displaypath = urllib.parse.unquote(path)
+            displaypath = urllib.parse.unquote(self.path)
         displaypath = html.escape(displaypath, quote=False)
         enc = sys.getfilesystemencoding()
         title = 'Directory listing for %s' % displaypath
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index a5f787f..66ab064 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -417,6 +417,14 @@ class SimpleHTTPServerTestCase(BaseTestCase):
         self.check_status_and_reason(response, HTTPStatus.OK,
                                      data=os_helper.TESTFN_UNDECODABLE)
 
+    def test_undecodable_parameter(self):
+        # sanity check using a valid parameter
+        response = self.request(self.base_url + '/?x=123').read()
+        self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
+        # now the bogus encoding
+        response = self.request(self.base_url + '/?x=%bb').read()
+        self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
+
     def test_get_dir_redirect_location_domain_injection_bug(self):
         """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2023-05-09 15:21:53 (GMT)
committer	GitHub <noreply@github.com>	2023-05-09 15:21:53 (GMT)
commit	d77e77c363a170f4435cbe826628b6a347654d9e (patch)
tree	cc7ad763e443e31171bf7bc6f6921e0dd33fd0e9 /Lib
parent	e277266a926a9037d39f1af7751050012f7f1998 (diff)
download	cpython-d77e77c363a170f4435cbe826628b6a347654d9e.zip cpython-d77e77c363a170f4435cbe826628b6a347654d9e.tar.gz cpython-d77e77c363a170f4435cbe826628b6a347654d9e.tar.bz2