Jun 21, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 16, 2022
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
    def test_get_dir_redirect_location_domain_injection_bug(self):
        """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.

        //domain/ in a Location header is a redirect to a newdomain name.
        //netloc/ in a Location header is a redirect to a newhost.
        https://github.com/python/cpython/issues/87389

        This checks that a path resolving to a directory on our server cannot
        resolve into a redirect to another server telling it that the
        directory in question exists on the Referrer server.
        resolve into a redirect to another server.
        """
        os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
        url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
        # Canonicalizes to /tmp/tempdir_name/existing_directory which does
        # exist and is a dir, triggering the 301 redirect and former bug.
        attack_url = f'//python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
        attack_url = f'/{url}'  # //python.org... multi-slash prefix, no trailing slash
        expected_location = f'{url}/'  # /python.org.../ single slash single prefix, trailing slash

        response = self.request(attack_url)
        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
        location = response.getheader('Location')
        self.assertFalse(location.startswith('//'), msg=location)
        self.assertEqual(location,f'/{attack_url.lstrip("/")}/',
        self.assertEqual(location,expected_location,
                msg='Expected Location header to start with a single / and '
                'end with a / as this is a directory redirect.')

        attack3_url = f'//{url}'  # ///python.org... triple-slash prefix, no trailing slash
        response = self.request(attack3_url)
        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
        self.assertEqual(response.getheader('Location'), expected_location)

    def test_get(self):
        #constructs the path relative to the root directory of the HTTPServer
        response = self.request(self.base_url + '/test')
Original file line number	Diff line number	Diff line change
Expand Up		@@ -421,25 +421,32 @@ def test_undecodable_filename(self):
		def test_get_dir_redirect_location_domain_injection_bug(self):
		"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.

		//domain/ in a Location header is a redirect to a newdomain name.
		//netloc/ in a Location header is a redirect to a newhost.
		https://github.com/python/cpython/issues/87389

		This checks that a path resolving to a directory on our server cannot
		resolve into a redirect to another server telling it that the
		directory in question exists on the Referrer server.
		resolve into a redirect to another server.
		"""
		os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
		url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
		# Canonicalizes to /tmp/tempdir_name/existing_directory which does
		# exist and is a dir, triggering the 301 redirect and former bug.
		attack_url = f'//python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
		attack_url = f'/{url}' # //python.org... multi-slash prefix, no trailing slash
		expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash

		response = self.request(attack_url)
		self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
		location = response.getheader('Location')
		self.assertFalse(location.startswith('//'), msg=location)
		self.assertEqual(location,f'/{attack_url.lstrip("/")}/',
		self.assertEqual(location,expected_location,
		msg='Expected Location header to start with a single / and '
gpshead marked this conversation as resolved. Show resolvedHide resolved
		'end with a / as this is a directory redirect.')
gpshead marked this conversation as resolved. Show resolvedHide resolved

		attack3_url = f'//{url}' # ///python.org... triple-slash prefix, no trailing slash
		response = self.request(attack3_url)
		self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
		self.assertEqual(response.getheader('Location'), expected_location)

		def test_get(self):
		#constructs the path relative to the root directory of the HTTPServer
		response = self.request(self.base_url + '/test')
Expand Down