Message 137726 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ori.livneh
Recipients	Arfrever, asdfasdfasdfasdfasdfasdfasdf, barry, benjamin.peterson, brett.cannon, dmalcolm, eric.araujo, georg.brandl, gps, gregory.p.smith, jcon, ori.livneh, orsenthil
Date	2011-06-06.02:11:13
SpamBayes Score	8.47519e-08
Marked as misclassified	No
Message-id	<1307326275.79.0.301303623953.issue11197@psf.upfronthosting.co.za>
In-reply-to

Content
I've attached my proposal for a fix. It's my first, so apologies if I've made a mistake somewhere. Senthil Kumaran, to whom the bug is currently assigned, kindly agreed to let me take a stab at it (thanks!). The approach I took was to normalize the path by replacing each of os.sep and os.altsep with slashes if (a) these characters are present in the path component and (b) the operating system is such that os.sep or os.altsep != '/'. (Currently, os.altsep is either None or '/' on all systems, but it seemed like a good idea to check anyway.) Requesting a relative path which, when translated, would point above the current working directory (e.g. http://localhost:8000/../) causes the server to return a 400 error, which is just how Apache responds to such requests. Internal calls to translate_path with such malformed paths cause translate_path to raise an IndexError, which is consistent with how _url_collapse_path_split (used by CGIRequestHandler) handles them.

I've attached my proposal for a fix. It's my first, so apologies if I've made a mistake somewhere. Senthil Kumaran, to whom the bug is currently assigned, kindly agreed to let me take a stab at it (thanks!).

The approach I took was to normalize the path by replacing each of os.sep and os.altsep with slashes if (a) these characters are present in the path component and (b) the operating system is such that os.sep or os.altsep != '/'. (Currently, os.altsep is either None or '/' on all systems, but it seemed like a good idea to check anyway.)

Requesting a relative path which, when translated, would point above the current working directory (e.g. http://localhost:8000/../) causes the server to return a 400 error, which is just how Apache responds to such requests.

Internal calls to translate_path with such malformed paths cause translate_path to raise an IndexError, which is consistent with how _url_collapse_path_split (used by CGIRequestHandler) handles them.

History
Date	User	Action	Args
2011-06-06 02:11:16	ori.livneh	set	recipients: + ori.livneh, barry, brett.cannon, georg.brandl, gregory.p.smith, orsenthil, gps, benjamin.peterson, eric.araujo, Arfrever, dmalcolm, asdfasdfasdfasdfasdfasdfasdf, jcon
2011-06-06 02:11:15	ori.livneh	set	messageid: <1307326275.79.0.301303623953.issue11197@psf.upfronthosting.co.za>
2011-06-06 02:11:15	ori.livneh	link	issue11197 messages
2011-06-06 02:11:14	ori.livneh	create