Issue #26657: Fix Windows directory traversal vulnerability with http.server

Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47.
2025-08-04 00:48:58 +00:00 · 2016-04-18 03:45:18 +00:00 · 2016-04-18 03:45:18 +00:00 · d274b3f1f1
commit d274b3f1f1
parent 6aafbd433d
3 changed files with 26 additions and 3 deletions
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -12,6 +12,7 @@ import os
 import sys
 import re
 import base64
+import ntpath
 import shutil
 import urllib.parse
 import html
@ -918,6 +919,24 @@ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
        path = self.handler.translate_path('//filename?foo=bar')
        self.assertEqual(path, self.translated)

+    def test_windows_colon(self):
+        with support.swap_attr(server.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+

 class MiscTestCase(unittest.TestCase):
    def test_all(self):