From: Victor Stinner Date: Wed, 26 Jul 2017 04:06:18 +0000 (+0200) Subject: bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782)... X-Git-Tag: v3.3.7rc1~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7b92f9fa47df754b50c64aac84cf1c09693571af;p=thirdparty%2FPython%2Fcpython.git bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) (#2860) Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47. (cherry picked from commit d274b3f1f1e2d8811733fb952c9f18d7da3a376a) (cherry picked from commit 6f6bc1da8aaae52664e7747e328d26eb59c0e74f) --- diff --git a/Lib/http/server.py b/Lib/http/server.py index 7d3b506075f2..28698f81a336 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -793,9 +793,9 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler): words = filter(None, words) path = os.getcwd() for word in words: - drive, word = os.path.splitdrive(word) - head, word = os.path.split(word) - if word in (os.curdir, os.pardir): continue + if os.path.dirname(word) or word in (os.curdir, os.pardir): + # Ignore components that are not a simple file/directory name + continue path = os.path.join(path, word) if trailing_slash: path += '/' diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index be5d8de0570d..326d2b24b5d1 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -12,6 +12,7 @@ import os import sys import re import base64 +import ntpath import shutil import urllib.parse import http.client @@ -703,6 +704,24 @@ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): path = self.handler.translate_path('//filename?foo=bar') self.assertEqual(path, self.translated) + def test_windows_colon(self): + with support.swap_attr(server.os, 'path', ntpath): + path = self.handler.translate_path('c:c:c:foo/filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + + path = self.handler.translate_path('\\c:../filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + + path = self.handler.translate_path('c:\\c:..\\foo/filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + + path = self.handler.translate_path('c:c:foo\\c:c:bar/filename') + path = path.replace(ntpath.sep, os.sep) + self.assertEqual(path, self.translated) + def test_main(verbose=None): cwd = os.getcwd() diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst new file mode 100644 index 000000000000..ac1dc14d061a --- /dev/null +++ b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst @@ -0,0 +1,3 @@ +Fix directory traversal vulnerability with http.server on Windows. This +fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on +patch by Philipp Hagemeister.