# HG changeset patch
# Parent  9fdeca5fdbf0da6db32d38e010ec89941f801e0d
Issue #26657: Fix Windows directory traversal vulnerability with http.server

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

diff -r 9fdeca5fdbf0 Lib/http/server.py
--- a/Lib/http/server.py	Mon Mar 28 06:13:52 2016 +0000
+++ b/Lib/http/server.py	Sat Apr 02 03:53:06 2016 +0000
@@ -763,9 +763,9 @@
         words = filter(None, words)
         path = os.getcwd()
         for word in words:
-            drive, word = os.path.splitdrive(word)
-            head, word = os.path.split(word)
-            if word in (os.curdir, os.pardir): continue
+            if os.path.dirname(word) or word in (os.curdir, os.pardir):
+                # Ignore components that are not a simple file/directory name
+                continue
             path = os.path.join(path, word)
         if trailing_slash:
             path += '/'
diff -r 9fdeca5fdbf0 Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py	Mon Mar 28 06:13:52 2016 +0000
+++ b/Lib/test/test_httpservers.py	Sat Apr 02 03:53:06 2016 +0000
@@ -12,6 +12,7 @@
 import sys
 import re
 import base64
+import ntpath
 import shutil
 import urllib.parse
 import html
@@ -908,6 +909,24 @@
         path = self.handler.translate_path('//filename?foo=bar')
         self.assertEqual(path, self.translated)
 
+    def test_windows_colon(self):
+        with support.swap_attr(server.os, 'path', ntpath):
+            path = self.handler.translate_path('c:c:c:foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('\\c:../filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:\\c:..\\foo/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
+            path = self.handler.translate_path('c:c:foo\\c:c:bar/filename')
+            path = path.replace(ntpath.sep, os.sep)
+            self.assertEqual(path, self.translated)
+
 
 class MiscTestCase(unittest.TestCase):
     def test_all(self):
diff -r 9fdeca5fdbf0 Misc/NEWS
--- a/Misc/NEWS	Mon Mar 28 06:13:52 2016 +0000
+++ b/Misc/NEWS	Sat Apr 02 03:53:06 2016 +0000
@@ -232,6 +232,10 @@
 Library
 -------
 
+- Issue #26657: Fix directory traversal vulnerability with http.server on
+  Windows.  This fixes a regression that was introduced in 3.3.4rc1 and
+  3.4.0rc1.  Based on patch by Philipp Hagemeister.
+
 - Issue #25195: Fix a regression in mock.MagicMock. _Call is a subclass of
   tuple (changeset 3603bae63c13 only works for classes) so we need to
   implement __ne__ ourselves.  Patch by Andrew Plummer.