Skip to content

[3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ambv merged 1 commit into from
May 22, 2023
Merged

[3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104120

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandl… 
…er (GH-104067)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

---------

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
  • Loading branch information
@ethanfurman @gpshead
@JelleZijlstra @miss-islington
3 people authored and miss-islington committed May 3, 2023
commit c79e88032529e01c1c0ff10c6191d095fccac4f4
2 changes: 1 addition & 1 deletion Lib/http/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -791,7 +791,7 @@ def list_directory(self, path):
displaypath = urllib.parse.unquote(self.path,
errors='surrogatepass')
except UnicodeDecodeError:
displaypath = urllib.parse.unquote(path)
displaypath = urllib.parse.unquote(self.path)
displaypath = html.escape(displaypath, quote=False)
enc = sys.getfilesystemencoding()
title = 'Directory listing for %s' % displaypath
Expand Down
8 changes: 8 additions & 0 deletions Lib/test/test_httpservers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,14 @@ def test_undecodable_filename(self):
self.check_status_and_reason(response, HTTPStatus.OK,
data=support.TESTFN_UNDECODABLE)

def test_undecodable_parameter(self):
# sanity check using a valid parameter
response = self.request(self.base_url + '/?x=123').read()
self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
# now the bogus encoding
response = self.request(self.base_url + '/?x=%bb').read()
self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))

def test_get_dir_redirect_location_domain_injection_bug(self):
"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.

Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Do not expose the local on-disk location in directory indexes
produced by :class:`http.client.SimpleHTTPRequestHandler`.