server: Check for relative paths to invalid directories
Avoid leaking information to requests like:
http://localhost:4000/../../etc/passwd
PEP 333 isn't clear on what values are allowed for PATH_INFO, but it
does mention them as "CGI-style" [1]. RFC 3875, defining CGI 1.1,
says about PATH_INFO [2]:
The server MAY impose restrictions and limitations on what values it
permits for PATH_INFO, and MAY reject the request with an error if
it encounters any values considered objectionable.
I can't actually exploit this with Python's reference WSGI
implementation. When I tried to fetch /../../etc/passwd with Wget, I
got '/etc/passwd' as PATH_INFO, but this seems like an
important-enough risk that a little extra checking would not be wrong
;).
Also drop the urlparse call, because PATH_INFO is already the parsed
path portion of the URL.
[1]: http://legacy.python.org/dev/peps/pep-0333/#specification-details
[2]: http://tools.ietf.org/search/rfc3875#section-4.1.5
projects / package-cache.git / commit