Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit c7c3a60

Browse filesBrowse files
ethanfurmangpsheadJelleZijlstra
authored
pythongh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (python#104067)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
1 parent 292076a commit c7c3a60
Copy full SHA for c7c3a60

File tree

Expand file treeCollapse file tree

3 files changed

+11
-1
lines changed
Filter options
Expand file treeCollapse file tree

3 files changed

+11
-1
lines changed

‎Lib/http/server.py

Copy file name to clipboardExpand all lines: Lib/http/server.py
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -791,7 +791,7 @@ def list_directory(self, path):
791791
displaypath = urllib.parse.unquote(self.path,
792792
errors='surrogatepass')
793793
except UnicodeDecodeError:
794-
displaypath = urllib.parse.unquote(path)
794+
displaypath = urllib.parse.unquote(self.path)
795795
displaypath = html.escape(displaypath, quote=False)
796796
enc = sys.getfilesystemencoding()
797797
title = f'Directory listing for {displaypath}'

‎Lib/test/test_httpservers.py

Copy file name to clipboardExpand all lines: Lib/test/test_httpservers.py
+8Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -418,6 +418,14 @@ def test_undecodable_filename(self):
418418
self.check_status_and_reason(response, HTTPStatus.OK,
419419
data=os_helper.TESTFN_UNDECODABLE)
420420

421+
def test_undecodable_parameter(self):
422+
# sanity check using a valid parameter
423+
response = self.request(self.base_url + '/?x=123').read()
424+
self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
425+
# now the bogus encoding
426+
response = self.request(self.base_url + '/?x=%bb').read()
427+
self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
428+
421429
def test_get_dir_redirect_location_domain_injection_bug(self):
422430
"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
423431

‎Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst

Copy file name to clipboard
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Do not expose the local on-disk location in directory indexes
2+
produced by :class:`http.client.SimpleHTTPRequestHandler`.

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.