Message306545
I wrote this patch, but I'm not sure that it's ok to always reject redirection URLs starting with //:
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 502bce0c7a..494031b8c2 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -673,10 +673,18 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
parts = urllib.parse.urlsplit(self.path)
if not parts.path.endswith('/'):
# redirect browser - doing basically what apache does
- self.send_response(HTTPStatus.MOVED_PERMANENTLY)
new_parts = (parts[0], parts[1], parts[2] + '/',
parts[3], parts[4])
new_url = urllib.parse.urlunsplit(new_parts)
+
+ # Browsers interpret "Location: //uri" as an absolute URI
+ # like "http://URI"
+ if new_url.startswith('//'):
+ self.send_error(HTTPStatus.BAD_REQUEST,
+ "URI must not start with //")
+ return None
+
+ self.send_response(HTTPStatus.MOVED_PERMANENTLY)
self.send_header("Location", new_url)
self.end_headers()
return None |
|
Date |
User |
Action |
Args |
2017-11-20 14:24:07 | vstinner | set | recipients:
+ vstinner |
2017-11-20 14:24:07 | vstinner | set | messageid: <1511187847.75.0.213398074469.issue32084@psf.upfronthosting.co.za> |
2017-11-20 14:24:07 | vstinner | link | issue32084 messages |
2017-11-20 14:24:07 | vstinner | create | |
|