Author vstinner
Recipients vstinner
Date 2017-11-20.14:24:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1511187847.75.0.213398074469.issue32084@psf.upfronthosting.co.za>
In-reply-to
Content
I wrote this patch, but I'm not sure that it's ok to always reject redirection URLs starting with //:

diff --git a/Lib/http/server.py b/Lib/http/server.py
index 502bce0c7a..494031b8c2 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -673,10 +673,18 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
             parts = urllib.parse.urlsplit(self.path)
             if not parts.path.endswith('/'):
                 # redirect browser - doing basically what apache does
-                self.send_response(HTTPStatus.MOVED_PERMANENTLY)
                 new_parts = (parts[0], parts[1], parts[2] + '/',
                              parts[3], parts[4])
                 new_url = urllib.parse.urlunsplit(new_parts)
+
+                # Browsers interpret "Location: //uri" as an absolute URI
+                # like "http://URI"
+                if new_url.startswith('//'):
+                    self.send_error(HTTPStatus.BAD_REQUEST,
+                                    "URI must not start with //")
+                    return None
+
+                self.send_response(HTTPStatus.MOVED_PERMANENTLY)
                 self.send_header("Location", new_url)
                 self.end_headers()
                 return None
History
Date User Action Args
2017-11-20 14:24:07vstinnersetrecipients: + vstinner
2017-11-20 14:24:07vstinnersetmessageid: <1511187847.75.0.213398074469.issue32084@psf.upfronthosting.co.za>
2017-11-20 14:24:07vstinnerlinkissue32084 messages
2017-11-20 14:24:07vstinnercreate