Issue #26657: Merge http.server fix from 3.5

author: Martin Panter <vadmium+py@gmail.com> 2016-04-18 07:16:17 +0000
committer: Martin Panter <vadmium+py@gmail.com> 2016-04-18 07:16:17 +0000
commit: 791ac54a44c1d8c6ee03a3ef733ce04182b8637c (patch)
tree: 9b00e2fb683943ff36e4022d2a72409f6ec68272 /Lib/http
parent: #25987: add versionadded to Reversible. (diff)
parent: Issue #26657: Fix Windows directory traversal vulnerability with http.server (diff)
download: cpython-791ac54a44c1d8c6ee03a3ef733ce04182b8637c.tar.gz
cpython-791ac54a44c1d8c6ee03a3ef733ce04182b8637c.tar.bz2
cpython-791ac54a44c1d8c6ee03a3ef733ce04182b8637c.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py
index c1607b36b0b..1f6a62bff93 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -768,9 +768,9 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
         words = filter(None, words)
         path = os.getcwd()
         for word in words:
-            drive, word = os.path.splitdrive(word)
-            head, word = os.path.split(word)
-            if word in (os.curdir, os.pardir): continue
+            if os.path.dirname(word) or word in (os.curdir, os.pardir):
+                # Ignore components that are not a simple file/directory name
+                continue
             path = os.path.join(path, word)
         if trailing_slash:
             path += '/'
author	Martin Panter <vadmium+py@gmail.com>	2016-04-18 07:16:17 +0000
committer	Martin Panter <vadmium+py@gmail.com>	2016-04-18 07:16:17 +0000
commit	791ac54a44c1d8c6ee03a3ef733ce04182b8637c (patch)
tree	9b00e2fb683943ff36e4022d2a72409f6ec68272 /Lib/http
parent	#25987: add versionadded to Reversible. (diff)
parent	Issue #26657: Fix Windows directory traversal vulnerability with http.server (diff)
download	cpython-791ac54a44c1d8c6ee03a3ef733ce04182b8637c.tar.gz cpython-791ac54a44c1d8c6ee03a3ef733ce04182b8637c.tar.bz2 cpython-791ac54a44c1d8c6ee03a3ef733ce04182b8637c.zip