STINNER Victor <victor.stin...@gmail.com> added the comment:
I wrote this patch, but I'm not sure that it's ok to always reject redirection
URLs starting with //:
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 502bce0c7a..494031b8c2 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -673,10 +673,18 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
parts = urllib.parse.urlsplit(self.path)
if not parts.path.endswith('/'):
# redirect browser - doing basically what apache does
- self.send_response(HTTPStatus.MOVED_PERMANENTLY)
new_parts = (parts[0], parts[1], parts[2] + '/',
parts[3], parts[4])
new_url = urllib.parse.urlunsplit(new_parts)
+
+ # Browsers interpret "Location: //uri" as an absolute URI
+ # like "http://URI";
+ if new_url.startswith('//'):
+ self.send_error(HTTPStatus.BAD_REQUEST,
+ "URI must not start with //")
+ return None
+
+ self.send_response(HTTPStatus.MOVED_PERMANENTLY)
self.send_header("Location", new_url)
self.end_headers()
return None
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue32084>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
