René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"python 3.11 http.server internal path disclosure","articleBody":"# Bug report\r\n\r\nDescription\r\n---\r\nPython http.server will disclose the full path where the http server is running when certains URL encoded values are sent as parameters. This was tested on a linux and windows machine. This was initially reported to security@ but I was asked to create an issue here. I am including the analysis that Gregory P Smith did.\r\n\r\nSteps to reproduce\r\n---\r\nRun \r\n```\r\npython -m http.server 9000\r\n```\r\n\r\nFrom another terminal:\r\n```\r\nC:\\Users\\fmunozs\u003ecurl http://localhost:9000/?x=123\r\n\u003c!DOCTYPE HTML\u003e\r\n\u003chtml lang=\"en\"\u003e\r\n\u003chead\u003e\r\n\u003cmeta charset=\"utf-8\"\u003e\r\n\u003ctitle\u003eDirectory listing for /?x=123\u003c/title\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ch1\u003eDirectory listing for /?x=123\u003c/h1\u003e\r\n\u003chr\u003e\r\n\u003cul\u003e\r\n\u003cli\u003e\u003ca href=\"x.txt\"\u003ex.txt\u003c/a\u003e\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\u003chr\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\n\r\ncurl http://localhost:9000/?x=%bb\r\n\u003c!DOCTYPE HTML\u003e\r\n\u003chtml lang=\"en\"\u003e\r\n\u003chead\u003e\r\n\u003cmeta charset=\"utf-8\"\u003e\r\n\u003ctitle\u003eDirectory listing for C:\\Users\\fmunozs\\Desktop\\test/\u003c/title\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ch1\u003eDirectory listing for C:\\Users\\fmunozs\\Desktop\\test/\u003c/h1\u003e\r\n\u003chr\u003e\r\n\u003cul\u003e\r\n\u003cli\u003e\u003ca href=\"x.txt\"\u003ex.txt\u003c/a\u003e\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\u003chr\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\n```\r\n\r\n# Your environment\r\n\r\n- CPython versions tested on: 3.11.3\r\n- Operating system and architecture: Windows 11 and Linux\r\n\r\n# Analysis by Gregory P Smith\r\n\r\nThis comes from https://github.com/python/cpython/blob/v3.11.3/Lib/http/server.py#L789-L793 and has been that way probably forever in Python.\r\n```\r\n  urllib.parse.unquote('/?x=%bb', errors='surrogatepass')\r\n  UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbb in position 4: invalid start byte\r\n```\r\nThus `self.path` isn't used for displaypath and it falls back to displaying `path` which is the local filesystem path we don't want a server to expose, per that try:..except:..\r\n\r\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-104067\n* gh-104119\n* gh-104120\n* gh-104121\n* gh-104122\n* gh-104123\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/fmunozs","@type":"Person","name":"fmunozs"},"datePublished":"2023-05-01T17:22:07.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/104049/cpython/issues/104049"}