mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-01 18:51:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 21

Issue #26657: Fix Windows directory traversal vulnerability with http.server

Browse source 
Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.
This commit is contained in:
Martin Panter 2016-04-18 03:45:18 +00:00
parent 6aafbd433d
commit d274b3f1f1
3 changed files with 26 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Lib/http/server.py
View file

@ -774,9 +774,9 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
words = filter(None, words)
path = os.getcwd()
for word in words:
drive, word = os.path.splitdrive(word)
head, word = os.path.split(word)
if word in (os.curdir, os.pardir): continue
if os.path.dirname(word) or word in (os.curdir, os.pardir):
# Ignore components that are not a simple file/directory name
continue
path = os.path.join(path, word)
if trailing_slash:
path += '/'