words = filter(None, words)
path = os.getcwd()
for word in words:
- drive, word = os.path.splitdrive(word)
- head, word = os.path.split(word)
- if word in (os.curdir, os.pardir): continue
+ if os.path.dirname(word) or word in (os.curdir, os.pardir):
+ # Ignore components that are not a simple file/directory name
+ continue
path = os.path.join(path, word)
if trailing_slash:
path += '/'
import sys
import re
import base64
+import ntpath
import shutil
import urllib.parse
import html
path = self.handler.translate_path('//filename?foo=bar')
self.assertEqual(path, self.translated)
+ def test_windows_colon(self):
+ with support.swap_attr(server.os, 'path', ntpath):
+ path = self.handler.translate_path('c:c:c:foo/filename')
+ path = path.replace(ntpath.sep, os.sep)
+ self.assertEqual(path, self.translated)
+
+ path = self.handler.translate_path('\\c:../filename')
+ path = path.replace(ntpath.sep, os.sep)
+ self.assertEqual(path, self.translated)
+
+ path = self.handler.translate_path('c:\\c:..\\foo/filename')
+ path = path.replace(ntpath.sep, os.sep)
+ self.assertEqual(path, self.translated)
+
+ path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+ path = path.replace(ntpath.sep, os.sep)
+ self.assertEqual(path, self.translated)
+
class MiscTestCase(unittest.TestCase):
def test_all(self):
Library
-------
+- Issue #26657: Fix directory traversal vulnerability with http.server on
+ Windows. This fixes a regression that was introduced in 3.3.4rc1 and
+ 3.4.0rc1. Based on patch by Philipp Hagemeister.
+
- Issue #26717: Stop encoding Latin-1-ized WSGI paths with UTF-8. Patch by
Anthony Sottile.
projects / python / commitdiff