From 346e1a3591a48b3ed1c6c27d8d37cca95033d6e5 Mon Sep 17 00:00:00 2001 From: Ethan Furman Date: Mon, 1 May 2023 15:04:43 -0700 Subject: [PATCH 1/4] do not expose on-disk location used by SimpleHTTPServer --- Lib/http/server.py | 2 +- Lib/test/test_httpservers.py | 8 ++++++++ .../2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst diff --git a/Lib/http/server.py b/Lib/http/server.py index 971f08046d50b5..a245ffb307860a 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -791,7 +791,7 @@ def list_directory(self, path): displaypath = urllib.parse.unquote(self.path, errors='surrogatepass') except UnicodeDecodeError: - displaypath = urllib.parse.unquote(path) + displaypath = urllib.parse.unquote(self.path) displaypath = html.escape(displaypath, quote=False) enc = sys.getfilesystemencoding() title = f'Directory listing for {displaypath}' diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index cbcf94136ac4eb..0ea99dd9da146b 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -418,6 +418,14 @@ def test_undecodable_filename(self): self.check_status_and_reason(response, HTTPStatus.OK, data=os_helper.TESTFN_UNDECODABLE) + def test_undecodable_parameter(self): + # sanity check using a valid paramter + response = self.request(self.base_url + '/?x=123').read() + self.assertRegex(response, ('listing for %s/\?x=123' % self.base_url).encode('latin1')) + # now the bogus encoding + response = self.request(self.base_url + '/?x=%bb').read() + self.assertRegex(response, ('listing for %s/\?x=\xef\xbf\xbd' % self.base_url).encode('latin1')) + def test_get_dir_redirect_location_domain_injection_bug(self): """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. diff --git a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst new file mode 100644 index 00000000000000..37b26a9a1e7c70 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst @@ -0,0 +1 @@ +Do not expose on-disk location used by ``SimpleHTTPServer``. From db1461513e7f53ed7fea7ef50e41136924ab5b6c Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Mon, 1 May 2023 18:56:50 -0700 Subject: [PATCH 2/4] reword and ReSTify the news more. --- .../Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst index 37b26a9a1e7c70..969deb26bfeb95 100644 --- a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst +++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst @@ -1 +1,2 @@ -Do not expose on-disk location used by ``SimpleHTTPServer``. +Do not expose the local on-disk location in directory indexes +produced by :class:`http.client.SimpleHTTPRequestHandler`. From 0621063ebae734a45e3e4ff2b421680ba735d700 Mon Sep 17 00:00:00 2001 From: Jelle Zijlstra Date: Tue, 2 May 2023 19:03:48 -0700 Subject: [PATCH 3/4] Update Lib/test/test_httpservers.py --- Lib/test/test_httpservers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index 0ea99dd9da146b..ede24cf112c9c5 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -419,7 +419,7 @@ def test_undecodable_filename(self): data=os_helper.TESTFN_UNDECODABLE) def test_undecodable_parameter(self): - # sanity check using a valid paramter + # sanity check using a valid parameter response = self.request(self.base_url + '/?x=123').read() self.assertRegex(response, ('listing for %s/\?x=123' % self.base_url).encode('latin1')) # now the bogus encoding From 0e6d72bab4c828710ed67a217b3459030fb05f25 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Tue, 2 May 2023 20:16:51 -0700 Subject: [PATCH 4/4] use f-strings --- Lib/test/test_httpservers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index ede24cf112c9c5..0382b5ec448d57 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -421,10 +421,10 @@ def test_undecodable_filename(self): def test_undecodable_parameter(self): # sanity check using a valid parameter response = self.request(self.base_url + '/?x=123').read() - self.assertRegex(response, ('listing for %s/\?x=123' % self.base_url).encode('latin1')) + self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1')) # now the bogus encoding response = self.request(self.base_url + '/?x=%bb').read() - self.assertRegex(response, ('listing for %s/\?x=\xef\xbf\xbd' % self.base_url).encode('latin1')) + self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1')) def test_get_dir_redirect_location_domain_injection_bug(self): """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.