Skip to content

Commit

Permalink
[3.10] pythongh-104049: do not expose on-disk location from SimpleHTT…
Browse files Browse the repository at this point in the history
…PRequestHandler (pythonGH-104067) (python#104119)

pythongh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (pythonGH-104067)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

---------

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
  • Loading branch information
4 people authored May 9, 2023
1 parent e277266 commit d77e77c
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Lib/http/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -791,7 +791,7 @@ def list_directory(self, path):
displaypath = urllib.parse.unquote(self.path,
errors='surrogatepass')
except UnicodeDecodeError:
displaypath = urllib.parse.unquote(path)
displaypath = urllib.parse.unquote(self.path)
displaypath = html.escape(displaypath, quote=False)
enc = sys.getfilesystemencoding()
title = 'Directory listing for %s' % displaypath
Expand Down
8 changes: 8 additions & 0 deletions Lib/test/test_httpservers.py
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,14 @@ def test_undecodable_filename(self):
self.check_status_and_reason(response, HTTPStatus.OK,
data=os_helper.TESTFN_UNDECODABLE)

def test_undecodable_parameter(self):
# sanity check using a valid parameter
response = self.request(self.base_url + '/?x=123').read()
self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
# now the bogus encoding
response = self.request(self.base_url + '/?x=%bb').read()
self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))

def test_get_dir_redirect_location_domain_injection_bug(self):
"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Do not expose the local on-disk location in directory indexes
produced by :class:`http.client.SimpleHTTPRequestHandler`.

0 comments on commit d77e77c

Please sign in to comment.