Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 690598a

Browse files
orsenthilorsenthil
committed
merge to default - Issue 10484 - Incorporate improvements to CGI module - Suggested by Glenn Linderman. Refactor code and tests
2 parents 1c94ff8 + d70846b commit 690598a

2 files changed

Lines changed: 56 additions & 51 deletions

File tree

Lib/http/server.py

Lines changed: 28 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -840,44 +840,47 @@ def guess_type(self, path):
840840

841841
# Utilities for CGIHTTPRequestHandler
842842

843-
# TODO(gregory.p.smith): Move this into an appropriate library.
844-
def _url_collapse_path_split(path):
843+
def _url_collapse_path(path):
845844
"""
846845
Given a URL path, remove extra '/'s and '.' path elements and collapse
847-
any '..' references.
846+
any '..' references and returns a colllapsed path.
848847
849848
Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
849+
The utility of this function is limited to is_cgi method and helps
850+
preventing some security attacks.
850851
851852
Returns: A tuple of (head, tail) where tail is everything after the final /
852853
and head is everything before it. Head will always start with a '/' and,
853854
if it contains anything else, never have a trailing '/'.
854855
855856
Raises: IndexError if too many '..' occur within the path.
857+
856858
"""
857859
# Similar to os.path.split(os.path.normpath(path)) but specific to URL
858860
# path semantics rather than local operating system semantics.
859-
path_parts = []
860-
for part in path.split('/'):
861-
if part == '.':
862-
path_parts.append('')
863-
else:
864-
path_parts.append(part)
865-
# Filter out blank non trailing parts before consuming the '..'.
866-
path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
861+
path_parts = path.split('/')
862+
head_parts = []
863+
for part in path_parts[:-1]:
864+
if part == '..':
865+
head_parts.pop() # IndexError if more '..' than prior parts
866+
elif part and part != '.':
867+
head_parts.append( part )
867868
if path_parts:
868869
tail_part = path_parts.pop()
870+
if tail_part:
871+
if tail_part == '..':
872+
head_parts.pop()
873+
tail_part = ''
874+
elif tail_part == '.':
875+
tail_part = ''
869876
else:
870877
tail_part = ''
871-
head_parts = []
872-
for part in path_parts:
873-
if part == '..':
874-
head_parts.pop()
875-
else:
876-
head_parts.append(part)
877-
if tail_part and tail_part == '..':
878-
head_parts.pop()
879-
tail_part = ''
880-
return ('/' + '/'.join(head_parts), tail_part)
878+
879+
splitpath = ('/' + '/'.join(head_parts), tail_part)
880+
collapsed_path = "/".join(splitpath)
881+
882+
return collapsed_path
883+
881884

882885

883886
nobody = None
@@ -954,16 +957,15 @@ def is_cgi(self):
954957
(and the next character is a '/' or the end of the string).
955958
956959
"""
957-
958-
splitpath = _url_collapse_path_split(self.path)
959-
joined_path = '/'.join(splitpath)
960-
dir_sep = joined_path.find('/',1)
961-
head, tail = joined_path[:dir_sep], joined_path[dir_sep+1:]
960+
collapsed_path = _url_collapse_path(self.path)
961+
dir_sep = collapsed_path.find('/', 1)
962+
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
962963
if head in self.cgi_directories:
963964
self.cgi_info = head, tail
964965
return True
965966
return False
966967

968+
967969
cgi_directories = ['/cgi-bin', '/htbin']
968970

969971
def is_executable(self, path):

Lib/test/test_httpservers.py

Lines changed: 28 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -366,41 +366,44 @@ def tearDown(self):
366366
finally:
367367
BaseTestCase.tearDown(self)
368368

369-
def test_url_collapse_path_split(self):
369+
def test_url_collapse_path(self):
370+
# verify tail is the last portion and head is the rest on proper urls
370371
test_vectors = {
371-
'': ('/', ''),
372+
'': '//',
372373
'..': IndexError,
373374
'/.//..': IndexError,
374-
'/': ('/', ''),
375-
'//': ('/', ''),
376-
'/\\': ('/', '\\'),
377-
'/.//': ('/', ''),
378-
'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
379-
'/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
380-
'a': ('/', 'a'),
381-
'/a': ('/', 'a'),
382-
'//a': ('/', 'a'),
383-
'./a': ('/', 'a'),
384-
'./C:/': ('/C:', ''),
385-
'/a/b': ('/a', 'b'),
386-
'/a/b/': ('/a/b', ''),
387-
'/a/b/c/..': ('/a/b', ''),
388-
'/a/b/c/../d': ('/a/b', 'd'),
389-
'/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
390-
'/a/b/c/../d/e/../../f': ('/a/b', 'f'),
391-
'/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
375+
'/': '//',
376+
'//': '//',
377+
'/\\': '//\\',
378+
'/.//': '//',
379+
'cgi-bin/file1.py': '/cgi-bin/file1.py',
380+
'/cgi-bin/file1.py': '/cgi-bin/file1.py',
381+
'a': '//a',
382+
'/a': '//a',
383+
'//a': '//a',
384+
'./a': '//a',
385+
'./C:/': '/C:/',
386+
'/a/b': '/a/b',
387+
'/a/b/': '/a/b/',
388+
'/a/b/.': '/a/b/',
389+
'/a/b/c/..': '/a/b/',
390+
'/a/b/c/../d': '/a/b/d',
391+
'/a/b/c/../d/e/../f': '/a/b/d/f',
392+
'/a/b/c/../d/e/../../f': '/a/b/f',
393+
'/a/b/c/../d/e/.././././..//f': '/a/b/f',
392394
'../a/b/c/../d/e/.././././..//f': IndexError,
393-
'/a/b/c/../d/e/../../../f': ('/a', 'f'),
394-
'/a/b/c/../d/e/../../../../f': ('/', 'f'),
395+
'/a/b/c/../d/e/../../../f': '/a/f',
396+
'/a/b/c/../d/e/../../../../f': '//f',
395397
'/a/b/c/../d/e/../../../../../f': IndexError,
396-
'/a/b/c/../d/e/../../../../f/..': ('/', ''),
398+
'/a/b/c/../d/e/../../../../f/..': '//',
399+
'/a/b/c/../d/e/../../../../f/../.': '//',
397400
}
398401
for path, expected in test_vectors.items():
399402
if isinstance(expected, type) and issubclass(expected, Exception):
400403
self.assertRaises(expected,
401-
server._url_collapse_path_split, path)
404+
server._url_collapse_path, path)
402405
else:
403-
actual = server._url_collapse_path_split(path)
406+
actual = server._url_collapse_path(path)
404407
self.assertEqual(expected, actual,
405408
msg='path = %r\nGot: %r\nWanted: %r' %
406409
(path, actual, expected))

0 commit comments

Comments
 (0)