Thomas added the comment: Martin Panter: Regarding the warning, you appear to be correct. However, reading the source of http.server again made me notice _url_collapse_path(path) which seems to have some overlap with translate_path. Also it crashes with an IndexError if path contains '..'.
Also, yes, python 2.7's SimpleHTTPServer is affected as well. Discarding weird paths instead of trying to repair them would change semantics, but from a user perspective, it would be easier to understand what is going on, so I'd agree with that change. Further, I agree that it would be nice if there was some library function to safely handle path operations. The function you proposed in https://bugs.python.org/issue21109#msg216675 and https://bitbucket.org/vadmium/pyrescene/src/34264f6/rescene/utility.py#cl-217 leaves handling path separators to the user. Maybe that should be handled as well? The function withstood my fuzzing tests on windows, so it might be correct. There is probably a good reason for disallowing paths that contain /dev/null but I don't know why. Could you add a word or two of documentation to explain? A really high-level solution would be to do away with all the strings and handle paths properly as the structure that they represent instead of trying to fake all kinds of things with strings, but that is probably beyond the scope of this issue. ---------- versions: +Python 2.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26657> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
