]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 292076a)
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (#104067)
authorEthan Furman <ethan@stoneleaf.us>
Wed, 3 May 2023 03:42:00 +0000 (20:42 -0700)
committerGitHub <noreply@github.com>
Wed, 3 May 2023 03:42:00 +0000 (03:42 +0000)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

---------

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
Lib/http/server.py patch | blob | blame | history
Lib/test/test_httpservers.py patch | blob | blame | history
Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst [new file with mode: 0644] patch | blob

diff --git a/Lib/http/server.py b/Lib/http/server.py
index 971f08046d50b5095143798ba22ada0be62be3e8..a245ffb307860aaf8b6db6f7c0636cb95d6a0257 100644 (file)
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -791,7 +791,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
             displaypath = urllib.parse.unquote(self.path,
                                                errors='surrogatepass')
         except UnicodeDecodeError:
-            displaypath = urllib.parse.unquote(path)
+            displaypath = urllib.parse.unquote(self.path)
         displaypath = html.escape(displaypath, quote=False)
         enc = sys.getfilesystemencoding()
         title = f'Directory listing for {displaypath}'
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index cbcf94136ac4ebc2596463061b119d606d9e9784..0382b5ec448d57fd1a0475673aab9b7c5e7a8fdb 100644 (file)
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -418,6 +418,14 @@ class SimpleHTTPServerTestCase(BaseTestCase):
         self.check_status_and_reason(response, HTTPStatus.OK,
                                      data=os_helper.TESTFN_UNDECODABLE)
 
+    def test_undecodable_parameter(self):
+        # sanity check using a valid parameter
+        response = self.request(self.base_url + '/?x=123').read()
+        self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
+        # now the bogus encoding
+        response = self.request(self.base_url + '/?x=%bb').read()
+        self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
+
     def test_get_dir_redirect_location_domain_injection_bug(self):
         """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
 
diff --git a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
new file mode 100644 (file)
index 0000000..969deb2
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
@@ -0,0 +1,2 @@
+Do not expose the local on-disk location in directory indexes
+produced by :class:`http.client.SimpleHTTPRequestHandler`.
Mirror of https://github.com/python/cpython.git