[issue13352] tutorial section 9.3.3 documentation problem
Ori Livneh added the comment: That's exactly the point: in Python, data attributes don't need to be declared in the class definition. -- nosy: +ori.livneh ___ Python tracker <http://bugs.python.org/issue13352> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by Ori Livneh : -- nosy: +Ori.Livneh ___ Python tracker <http://bugs.python.org/issue11197> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Ori Livneh added the comment: I've attached my proposal for a fix. It's my first, so apologies if I've made a mistake somewhere. Senthil Kumaran, to whom the bug is currently assigned, kindly agreed to let me take a stab at it (thanks!). The approach I took was to normalize the path by replacing each of os.sep and os.altsep with slashes if (a) these characters are present in the path component and (b) the operating system is such that os.sep or os.altsep != '/'. (Currently, os.altsep is either None or '/' on all systems, but it seemed like a good idea to check anyway.) Requesting a relative path which, when translated, would point above the current working directory (e.g. http://localhost:8000/../) causes the server to return a 400 error, which is just how Apache responds to such requests. Internal calls to translate_path with such malformed paths cause translate_path to raise an IndexError, which is consistent with how _url_collapse_path_split (used by CGIRequestHandler) handles them. -- keywords: +patch Added file: http://bugs.python.org/file22260/translate_path.patch ___ Python tracker <http://bugs.python.org/issue11197> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Ori Livneh added the comment: I updated the patch, making the emendations suggested by Eric's review, and making a few additional changes. I was bothered that translate_path was duplicating functionality from _url_collapse_path_split, so I made some corrections to the latter and rewrote translate_path so that it uses _url_collapse_path_split and implements only the checks necessary for translating the path to a path on the local file system path. translate_path relies on os.path to make sure the path is safe, which is (I think) also the proper way to do things, since it's not good to have to remember to update path semantics in http.server if Python is ported to additional platforms. I also read the various specs and made sure entities are unquoted at the appropriate point. -- Added file: http://bugs.python.org/file22338/translate_path_rev2.patch ___ Python tracker <http://bugs.python.org/issue11197> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Ori Livneh added the comment: Yes, I seem to have gotten confused about this. Sorry for the confusion, and thanks for clearing it up. -- ___ Python tracker <http://bugs.python.org/issue11197> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
