[3.10] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104119)

gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- (cherry picked from commit c7c3a60c88) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
2023-05-09 08:21:53 -07:00 · 2023-05-09 08:21:53 -07:00 · d77e77c363
parent e277266a92
commit d77e77c363
3 changed files with 11 additions and 1 deletions
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@ -791,7 +791,7 @@ def list_directory(self, path):
            displaypath = urllib.parse.unquote(self.path,
                                               errors='surrogatepass')
        except UnicodeDecodeError:
-            displaypath = urllib.parse.unquote(path)
+            displaypath = urllib.parse.unquote(self.path)
        displaypath = html.escape(displaypath, quote=False)
        enc = sys.getfilesystemencoding()
        title = 'Directory listing for %s' % displaypath
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -417,6 +417,14 @@ def test_undecodable_filename(self):
        self.check_status_and_reason(response, HTTPStatus.OK,
                                     data=os_helper.TESTFN_UNDECODABLE)

+    def test_undecodable_parameter(self):
+        # sanity check using a valid parameter
+        response = self.request(self.base_url + '/?x=123').read()
+        self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
+        # now the bogus encoding
+        response = self.request(self.base_url + '/?x=%bb').read()
+        self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
+
    def test_get_dir_redirect_location_domain_injection_bug(self):
        """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.

--- a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
+++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
@ -0,0 +1,2 @@
+Do not expose the local on-disk location in directory indexes
+produced by :class:`http.client.SimpleHTTPRequestHandler`.