[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server by vstinner · Pull Request #226 · python/cpython

Expand Up @@ -12,6 +12,7 @@ import sys import re import base64 import ntpath import shutil import urllib.parse import html Expand Down Expand Up @@ -829,6 +830,24 @@ def test_start_with_double_slash(self): path = self.handler.translate_path('//filename?foo=bar') self.assertEqual(path, self.translated)
def test_windows_colon(self): with support.swap_attr(server.os, 'path', ntpath): path = self.handler.translate_path('c:c:c:foo/filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)
path = self.handler.translate_path('\\c:../filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)
path = self.handler.translate_path('c:\\c:..\\foo/filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)
path = self.handler.translate_path('c:c:foo\\c:c:bar/filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)

class MiscTestCase(unittest.TestCase): def test_all(self): Expand Down