Message 262595 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Thomas
Recipients	Thomas, martin.panter, paul.moore, phihag, steve.dower, tim.golden, xiang.zhang, zach.ware
Date	2016-03-29.09:36:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1459244196.0.0.699321548626.issue26657@psf.upfronthosting.co.za>
In-reply-to

Content
Martin Panter: Regarding the warning, you appear to be correct. However, reading the source of http.server again made me notice _url_collapse_path(path) which seems to have some overlap with translate_path. Also it crashes with an IndexError if path contains '..'. Also, yes, python 2.7's SimpleHTTPServer is affected as well. Discarding weird paths instead of trying to repair them would change semantics, but from a user perspective, it would be easier to understand what is going on, so I'd agree with that change. Further, I agree that it would be nice if there was some library function to safely handle path operations. The function you proposed in https://bugs.python.org/issue21109#msg216675 and https://bitbucket.org/vadmium/pyrescene/src/34264f6/rescene/utility.py#cl-217 leaves handling path separators to the user. Maybe that should be handled as well? The function withstood my fuzzing tests on windows, so it might be correct. There is probably a good reason for disallowing paths that contain /dev/null but I don't know why. Could you add a word or two of documentation to explain? A really high-level solution would be to do away with all the strings and handle paths properly as the structure that they represent instead of trying to fake all kinds of things with strings, but that is probably beyond the scope of this issue.

Martin Panter: Regarding the warning, you appear to be correct.
However, reading the source of http.server again made me notice
_url_collapse_path(path)
which seems to have some overlap with translate_path. Also it
crashes with an IndexError if path contains '..'.

Also, yes, python 2.7's SimpleHTTPServer is affected as well.

Discarding weird paths instead of trying to repair them would change semantics, but from a user perspective, it would be easier to understand what is going on, so I'd agree with that change.

Further, I agree that it would be nice if there was some library function to safely handle path operations.
The function you proposed in https://bugs.python.org/issue21109#msg216675 and https://bitbucket.org/vadmium/pyrescene/src/34264f6/rescene/utility.py#cl-217 leaves handling path separators to the user. Maybe that should be handled as well?
The function withstood my fuzzing tests on windows, so it might be correct.
There is probably a good reason for disallowing paths that contain /dev/null but I don't know why. Could you add a word or two of documentation to explain?

A really high-level solution would be to do away with all the strings and handle paths properly as the structure that they represent instead of trying to fake all kinds of things with strings, but that is probably beyond the scope of this issue.

History
Date	User	Action	Args
2016-03-29 09:36:36	Thomas	set	recipients: + Thomas, paul.moore, tim.golden, phihag, martin.panter, zach.ware, steve.dower, xiang.zhang
2016-03-29 09:36:36	Thomas	set	messageid: <1459244196.0.0.699321548626.issue26657@psf.upfronthosting.co.za>
2016-03-29 09:36:35	Thomas	link	issue26657 messages
2016-03-29 09:36:34	Thomas	create