[3.3][security] bpo-26657: Fix Windows directory traversal vulnerability with http.se… by vstinner · Pull Request #2860 · python/cpython

Expand Up @@ -12,6 +12,7 @@ import sys import re import base64 import ntpath import shutil import urllib.parse import http.client Expand Down Expand Up @@ -703,6 +704,24 @@ def test_start_with_double_slash(self): path = self.handler.translate_path('//filename?foo=bar') self.assertEqual(path, self.translated)
def test_windows_colon(self): with support.swap_attr(server.os, 'path', ntpath): path = self.handler.translate_path('c:c:c:foo/filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)
path = self.handler.translate_path('\\c:../filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)
path = self.handler.translate_path('c:\\c:..\\foo/filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)
path = self.handler.translate_path('c:c:foo\\c:c:bar/filename') path = path.replace(ntpath.sep, os.sep) self.assertEqual(path, self.translated)

def test_main(verbose=None): cwd = os.getcwd() Expand Down