[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

Martin Panter Sat, 25 Nov 2017 21:28:42 -0800

Martin Panter <[email protected]> added the comment:

Maybe a good fix would be to “escape” the double slash with “/.”:


if os.path.isdir(path):
    url = self.path
    if url.startswith('//'):  # E.g. "//www.python.org/%2f.."
        url = "/." + url  # Becomes "/.//www.python.org/%2f.."
    parts = urllib.parse.urlsplit(url)
    ...

When this “escaped” URL is resolved with the base URL, it should give the right 
result:

>>> base = "http://localhost:8000//www.python.org/%2f..";
>>> redirect = "/.//www.python.org/%2f../"
>>> urljoin(base, redirect)
'http://localhost:8000//www.python.org/%2f../'

A simpler idea is to strip off all but one of the leading slashes, so you end 
up with "/www.python.org/%2f..". That would technically be a different URL, but 
would access the same file through the default SimpleHTTPRequestHandler 
behaviour, so most people wouldn’t notice.

----------
nosy: +martin.panter

_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue32084>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

Reply via email to