gh-134098: Fix handling %-encoded trailing slash in SimpleHTTPRequestHandler (GH-134099)

2025-05-17 10:11:34 +03:00 · 2025-05-17 10:11:34 +03:00 · 2f1ecb3bc4
commit 2f1ecb3bc4
parent fcaf009907
3 changed files with 17 additions and 4 deletions
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@ -750,7 +750,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
        f = None
        if os.path.isdir(path):
            parts = urllib.parse.urlsplit(self.path)
-            if not parts.path.endswith('/'):
+            if not parts.path.endswith(('/', '%2f', '%2F')):
                # redirect browser - doing basically what apache does
                self.send_response(HTTPStatus.MOVED_PERMANENTLY)
                new_parts = (parts[0], parts[1], parts[2] + '/',
@ -890,14 +890,14 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
        """
        # abandon query parameters
-        path = path.split('?',1)[0]
+        path = path.split('#', 1)[0]
-        path = path.split('#',1)[0]
+        path = path.split('?', 1)[0]
        # Don't forget explicit trailing slash when normalizing. Issue17324
        trailing_slash = path.rstrip().endswith('/')
        try:
            path = urllib.parse.unquote(path, errors='surrogatepass')
        except UnicodeDecodeError:
            path = urllib.parse.unquote(path)
        trailing_slash = path.endswith('/')
        path = posixpath.normpath(path)
        words = path.split('/')
        words = filter(None, words)
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -692,10 +692,19 @@ class SimpleHTTPServerTestCase(BaseTestCase):
        # check for trailing "/" which should return 404. See Issue17324
        response = self.request(self.base_url + '/test/')
        self.check_status_and_reason(response, HTTPStatus.NOT_FOUND)
        response = self.request(self.base_url + '/test%2f')
        self.check_status_and_reason(response, HTTPStatus.NOT_FOUND)
        response = self.request(self.base_url + '/test%2F')
        self.check_status_and_reason(response, HTTPStatus.NOT_FOUND)
        response = self.request(self.base_url + '/')
        self.check_status_and_reason(response, HTTPStatus.OK)
        response = self.request(self.base_url + '%2f')
        self.check_status_and_reason(response, HTTPStatus.OK)
        response = self.request(self.base_url + '%2F')
        self.check_status_and_reason(response, HTTPStatus.OK)
        response = self.request(self.base_url)
        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
        self.assertEqual(response.getheader("Location"), self.base_url + "/")
        self.assertEqual(response.getheader("Content-Length"), "0")
        response = self.request(self.base_url + '/?hi=2')
        self.check_status_and_reason(response, HTTPStatus.OK)
@ -801,6 +810,8 @@ class SimpleHTTPServerTestCase(BaseTestCase):
        self.check_status_and_reason(response, HTTPStatus.OK)
        response = self.request(self.tempdir_name)
        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
        self.assertEqual(response.getheader("Location"),
                         self.tempdir_name + "/")
        response = self.request(self.tempdir_name + '/?hi=2')
        self.check_status_and_reason(response, HTTPStatus.OK)
        response = self.request(self.tempdir_name + '?hi=1')
--- a/Misc/NEWS.d/next/Library/2025-05-16-20-10-25.gh-issue-134098.YyTkKr.rst
+++ b/Misc/NEWS.d/next/Library/2025-05-16-20-10-25.gh-issue-134098.YyTkKr.rst
@ -0,0 +1,2 @@
 Fix handling paths that end with a percent-encoded slash (``%2f`` or
 ``%2F``) in :class:`http.server.SimpleHTTPRequestHandler`.
		`@ -0,0 +1,2 @@`
							Fix handling paths that end with a percent-encoded slash (``%2f`` or
							``%2F``) in :class:`http.server.SimpleHTTPRequestHandler`.