This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Thomas
Recipients Thomas, martin.panter, paul.moore, phihag, steve.dower, tim.golden, xiang.zhang, zach.ware
Date 2016-03-29.09:36:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Martin Panter: Regarding the warning, you appear to be correct.
However, reading the source of http.server again made me notice
which seems to have some overlap with translate_path. Also it
crashes with an IndexError if path contains '..'.

Also, yes, python 2.7's SimpleHTTPServer is affected as well.

Discarding weird paths instead of trying to repair them would change semantics, but from a user perspective, it would be easier to understand what is going on, so I'd agree with that change.

Further, I agree that it would be nice if there was some library function to safely handle path operations.
The function you proposed in and leaves handling path separators to the user. Maybe that should be handled as well?
The function withstood my fuzzing tests on windows, so it might be correct.
There is probably a good reason for disallowing paths that contain /dev/null but I don't know why. Could you add a word or two of documentation to explain?

A really high-level solution would be to do away with all the strings and handle paths properly as the structure that they represent instead of trying to fake all kinds of things with strings, but that is probably beyond the scope of this issue.
Date User Action Args
2016-03-29 09:36:36Thomassetrecipients: + Thomas, paul.moore, tim.golden, phihag, martin.panter, zach.ware, steve.dower, xiang.zhang
2016-03-29 09:36:36Thomassetmessageid: <>
2016-03-29 09:36:35Thomaslinkissue26657 messages
2016-03-29 09:36:34Thomascreate