Author martin.panter
Recipients martin.panter, vstinner
Date 2017-11-26.05:28:22
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1511674103.3.0.213398074469.issue32084@psf.upfronthosting.co.za>
In-reply-to
Content
Maybe a good fix would be to “escape” the double slash with “/.”:

if os.path.isdir(path):
    url = self.path
    if url.startswith('//'):  # E.g. "//www.python.org/%2f.."
        url = "/." + url  # Becomes "/.//www.python.org/%2f.."
    parts = urllib.parse.urlsplit(url)
    ...

When this “escaped” URL is resolved with the base URL, it should give the right result:

>>> base = "http://localhost:8000//www.python.org/%2f.."
>>> redirect = "/.//www.python.org/%2f../"
>>> urljoin(base, redirect)
'http://localhost:8000//www.python.org/%2f../'

A simpler idea is to strip off all but one of the leading slashes, so you end up with "/www.python.org/%2f..". That would technically be a different URL, but would access the same file through the default SimpleHTTPRequestHandler behaviour, so most people wouldn’t notice.
History
Date User Action Args
2017-11-26 05:28:23martin.pantersetrecipients: + martin.panter, vstinner
2017-11-26 05:28:23martin.pantersetmessageid: <1511674103.3.0.213398074469.issue32084@psf.upfronthosting.co.za>
2017-11-26 05:28:23martin.panterlinkissue32084 messages
2017-11-26 05:28:22martin.pantercreate