[Python-checkins] bpo-34711: Return HTTPStatus.NOT_FOUND if path.endswith('/') and not a directory (GH-9687)

Nick Coghlan webhook-mailer at python.org
Wed Dec 26 00:43:46 EST 2018 

https://github.com/python/cpython/commit/2062a20641febad5eb9c18d74e1cfb4d7a6e53ed
commit: 2062a20641febad5eb9c18d74e1cfb4d7a6e53ed
branch: master
author: Michael Felt <aixtools at users.noreply.github.com>
committer: Nick Coghlan <ncoghlan at gmail.com>
date: 2018-12-26T15:43:42+10:00
summary:

bpo-34711: Return HTTPStatus.NOT_FOUND if path.endswith('/') and not a directory (GH-9687)

AIX allows a trailing slash on local file system paths, which isn't what we want
in http.server. Accordingly, check explicitly for this case in the server code,
rather than relying on the OS raising an exception.

Patch by Michael Felt.

files:
A Misc/NEWS.d/next/Library/2018-10-03-09-25-02.bpo-34711.HeOmKR.rst
M Lib/http/server.py

diff --git a/Lib/http/server.py b/Lib/http/server.py
index 22d865f2fdfa..29c720ea7ea8 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -692,6 +692,14 @@ def send_head(self):
             else:
                 return self.list_directory(path)
         ctype = self.guess_type(path)
+        # check for trailing "/" which should return 404. See Issue17324
+        # The test for this was added in test_httpserver.py
+        # However, some OS platforms accept a trailingSlash as a filename
+        # See discussion on python-dev and Issue34711 regarding
+        # parseing and rejection of filenames with a trailing slash
+        if path.endswith("/"):
+            self.send_error(HTTPStatus.NOT_FOUND, "File not found")
+            return None
         try:
             f = open(path, 'rb')
         except OSError:
diff --git a/Misc/NEWS.d/next/Library/2018-10-03-09-25-02.bpo-34711.HeOmKR.rst b/Misc/NEWS.d/next/Library/2018-10-03-09-25-02.bpo-34711.HeOmKR.rst
new file mode 100644
index 000000000000..f3522f319785
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-10-03-09-25-02.bpo-34711.HeOmKR.rst
@@ -0,0 +1,3 @@
+http.server ensures it reports HTTPStatus.NOT_FOUND when the local path ends with "/"
+and is not a directory, even if the underlying OS (e.g. AIX) accepts such paths as a
+valid file reference. Patch by Michael Felt.

More information about the Python-checkins mailing list