bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782)...

author Victor Stinner <victor.stinner@gmail.com>

Wed, 26 Jul 2017 04:06:18 +0000 (06:06 +0200)

committer Ned Deily <nad@python.org>

Wed, 26 Jul 2017 04:06:18 +0000 (00:06 -0400)
author Victor Stinner <victor.stinner@gmail.com>
Wed, 26 Jul 2017 04:06:18 +0000 (06:06 +0200)
committer Ned Deily <nad@python.org>
Wed, 26 Jul 2017 04:06:18 +0000 (00:06 -0400)
diff --git a/Lib/http/server.py b/Lib/http/server.py

index 7d3b506075f299338a154ff7efeded583ab09161..28698f81a336ccf0b2d285e4a1af0597c2279aef 100644 (file)
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -793,9 +793,9 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
          words = filter(None, words)
          path = os.getcwd()
          for word in words:
-            drive, word = os.path.splitdrive(word)
-            head, word = os.path.split(word)
-            if word in (os.curdir, os.pardir): continue
+            if os.path.dirname(word) or word in (os.curdir, os.pardir):
+                # Ignore components that are not a simple file/directory name
+                continue
              path = os.path.join(path, word)
          if trailing_slash:
              path += '/'
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py

index be5d8de0570dfb70ef249a385dcb0fe5cf7ea92e..326d2b24b5d1208250c387f1583fc87134e03df0 100644 (file)
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -12,6 +12,7 @@ import os
  import sys
  import re
  import base64
+import ntpath
  import shutil
  import urllib.parse
  import http.client
@@ -703,6 +704,24 @@ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
          path = self.handler.translate_path('//filename?foo=bar')
          self.assertEqual(path, self.translated)
  
+    def test_windows_colon(self):
+        with support.swap_attr(server.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
  
  def test_main(verbose=None):
      cwd = os.getcwd()
diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst

new file mode 100644 (file)

index 0000000..ac1dc14
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst
@@ -0,0 +1,3 @@
+Fix directory traversal vulnerability with http.server on Windows. This
+fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
+patch by Philipp Hagemeister.
author	Victor Stinner <victor.stinner@gmail.com>
	Wed, 26 Jul 2017 04:06:18 +0000 (06:06 +0200)
committer	Ned Deily <nad@python.org>
	Wed, 26 Jul 2017 04:06:18 +0000 (00:06 -0400)
Lib/http/server.py		patch \| blob \| blame \| history
Lib/test/test_httpservers.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst	[new file with mode: 0644]	patch \| blob