bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) (#2860)

vstinner · ned-deily · commit 7b92f9fa47df · 2017-07-26T00:06:18.000-04:00
Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47. (cherry picked from commit d274b3f) (cherry picked from commit 6f6bc1d)
diff --git a/Lib/http/server.py b/Lib/http/server.py
@@ -793,9 +793,9 @@ def translate_path(self, path):
         words = filter(None, words)
         path = os.getcwd()
         for word in words:
-            drive, word = os.path.splitdrive(word)
-            head, word = os.path.split(word)
-            if word in (os.curdir, os.pardir): continue
+            if os.path.dirname(word) or word in (os.curdir, os.pardir):
+                # Ignore components that are not a simple file/directory name
+                continue
             path = os.path.join(path, word)
         if trailing_slash:
             path += '/'
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
@@ -12,6 +12,7 @@
 import sys
 import re
 import base64
+import ntpath
 import shutil
 import urllib.parse
 import http.client
@@ -703,6 +704,24 @@ def test_start_with_double_slash(self):
         path = self.handler.translate_path('//filename?foo=bar')
         self.assertEqual(path, self.translated)
 
+    def test_windows_colon(self):
+        with support.swap_attr(server.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
 
 def test_main(verbose=None):
     cwd = os.getcwd()
diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst
@@ -0,0 +1,3 @@
+Fix directory traversal vulnerability with http.server on Windows. This
+fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
+patch by Philipp Hagemeister.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Fix directory traversal vulnerability with http.server on Windows. This`
	`2`	`+fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on`
	`3`	`+patch by Philipp Hagemeister.`