NotificationsYou must be signed in to change notification settings
Fork32.1k
Star67.3k

Commitc7c3a60

authored

gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (#104067)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)---------Co-authored-by: Gregory P. Smith <greg@krypto.org>Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

1 parent292076a commitc7c3a60Copy full SHA for c7c3a60

File tree

3 files changed

+11

-1

lines changed

Lib
- http
  - server.py
- test
  - test_httpservers.py
Misc/NEWS.d/next/Security
- 2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst

3 files changed

+11

-1

lines changed

`‎Lib/http/server.py`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -791,7 +791,7 @@ def list_directory(self, path):`
`791`	`791`	`displaypath=urllib.parse.unquote(self.path,`
`792`	`792`	`errors='surrogatepass')`
`793`	`793`	`exceptUnicodeDecodeError:`
`794`		`-displaypath=urllib.parse.unquote(path)`
	`794`	`+displaypath=urllib.parse.unquote(self.path)`
`795`	`795`	`displaypath=html.escape(displaypath,quote=False)`
`796`	`796`	`enc=sys.getfilesystemencoding()`
`797`	`797`	`title=f'Directory listing for{displaypath}'`

`‎Lib/test/test_httpservers.py`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -418,6 +418,14 @@ def test_undecodable_filename(self):`
`418`	`418`	`self.check_status_and_reason(response,HTTPStatus.OK,`
`419`	`419`	`data=os_helper.TESTFN_UNDECODABLE)`
`420`	`420`
	`421`	`+deftest_undecodable_parameter(self):`
	`422`	`+# sanity check using a valid parameter`
	`423`	`+response=self.request(self.base_url+'/?x=123').read()`
	`424`	`+self.assertRegex(response,f'listing for{self.base_url}/\?x=123'.encode('latin1'))`
	`425`	`+# now the bogus encoding`
	`426`	`+response=self.request(self.base_url+'/?x=%bb').read()`
	`427`	`+self.assertRegex(response,f'listing for{self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))`
	`428`	`+`
`421`	`429`	`deftest_get_dir_redirect_location_domain_injection_bug(self):`
`422`	`430`	`"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.`
`423`	`431`

`‎Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Do not expose the local on-disk location in directory indexes`
	`2`	+produced by:class:`http.client.SimpleHTTPRequestHandler`.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitc7c3a60

File tree

3 files changed

3 files changed

`‎Lib/http/server.py`

`‎Lib/test/test_httpservers.py`

`‎Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst`

0 commit comments