Python http.server will disclose the full path where the http server is running when certains URL encoded values are sent as parameters. This was tested on a linux and windows machine. This was initially reported to security@ but I was asked to create an issue here. I am including the analysis that Gregory P Smith did.
python -m http.server 9000
C:\Users\fmunozs>curl http://localhost:9000/?x=123
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for /?x=123</title>
</head>
<body>
<h1>Directory listing for /?x=123</h1>
<hr>
<ul>
<li><a href="x.txt">x.txt</a></li>
</ul>
<hr>
</body>
</html>
curl http://localhost:9000/?x=%bb
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for C:\Users\fmunozs\Desktop\test/</title>
</head>
<body>
<h1>Directory listing for C:\Users\fmunozs\Desktop\test/</h1>
<hr>
<ul>
<li><a href="x.txt">x.txt</a></li>
</ul>
<hr>
</body>
</html>
urllib.parse.unquote('/?x=%bb', errors='surrogatepass')
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbb in position 4: invalid start byte
Bug report
Description
Python http.server will disclose the full path where the http server is running when certains URL encoded values are sent as parameters. This was tested on a linux and windows machine. This was initially reported to security@ but I was asked to create an issue here. I am including the analysis that Gregory P Smith did.
Steps to reproduce
Run
From another terminal:
Your environment
Analysis by Gregory P Smith
This comes from https://github.com/python/cpython/blob/v3.11.3/Lib/http/server.py#L789-L793 and has been that way probably forever in Python.
Thus
self.pathisn't used for displaypath and it falls back to displayingpathwhich is the local filesystem path we don't want a server to expose, per that try:..except:..Linked PRs