Skip to content

[3.14] gh-133889: Only show the path of the URL in the SimpleHTTPRequestHandler page (GH-134135) #134190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 18, 2025
+15 −8
Merged

[3.14] gh-133889: Only show the path of the URL in the SimpleHTTPRequestHandler page (GH-134135) #134190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions Lib/http/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -840,11 +840,14 @@ def list_directory(self, path):
return None
list.sort(key=lambda a: a.lower())
r = []
displaypath = self.path
displaypath = displaypath.split('#', 1)[0]
displaypath = displaypath.split('?', 1)[0]
try:
displaypath = urllib.parse.unquote(self.path,
displaypath = urllib.parse.unquote(displaypath,
errors='surrogatepass')
except UnicodeDecodeError:
displaypath = urllib.parse.unquote(self.path)
displaypath = urllib.parse.unquote(displaypath)
displaypath = html.escape(displaypath, quote=False)
enc = sys.getfilesystemencoding()
title = f'Directory listing for {displaypath}'
Expand Down
13 changes: 7 additions & 6 deletions Lib/test/test_httpservers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -628,13 +628,14 @@ def test_list_dir_escape_filename(self):
self.check_list_dir_filename(filename)
os_helper.unlink(os.path.join(self.tempdir, filename))

def test_undecodable_parameter(self):
# sanity check using a valid parameter
def test_list_dir_with_query_and_fragment(self):
prefix = f'listing for {self.base_url}/</'.encode('latin1')
response = self.request(self.base_url + '/#123').read()
self.assertIn(prefix + b'title>', response)
self.assertIn(prefix + b'h1>', response)
response = self.request(self.base_url + '/?x=123').read()
self.assertRegex(response, rf'listing for {self.base_url}/\?x=123'.encode('latin1'))
# now the bogus encoding
response = self.request(self.base_url + '/?x=%bb').read()
self.assertRegex(response, rf'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
self.assertIn(prefix + b'title>', response)
self.assertIn(prefix + b'h1>', response)

def test_get_dir_redirect_location_domain_injection_bug(self):
"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Library/2025-05-17-12-40-12.gh-issue-133889.Eh-zO4.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
The generated directory listing page in
:class:`http.server.SimpleHTTPRequestHandler` now only shows the decoded
path component of the requested URL, and not the query and fragment.
Loading