blob: f92693e63290e9d8f4445bb0c5c2fa3baa80b9f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
$NetBSD: patch-Lib_http_server.py,v 1.1.2.2 2014/07/05 11:21:49 tron Exp $
Fix for directory traversal vulnerability, ref.
http://bugs.python.org/issue21766
--- Lib/http/server.py.orig 2014-03-09 08:40:10.000000000 +0000
+++ Lib/http/server.py
@@ -971,7 +971,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(self.path)
+ collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
|
