Security fix for StaticURLParser, plus unquote SCRIPT_NAME and PATH_INFO, plus don't double-unquote in StaticURLParser

author: ianb <devnull@localhost> 2006-12-18 00:28:21 +0000
committer: ianb <devnull@localhost> 2006-12-18 00:28:21 +0000
commit: 7c0b1546341ae5761701c4d667cbb6e87327ba19 (patch)
tree: ed070f240b8a249e2e407eecb1993ed558a58682 /paste/httpserver.py
parent: 165668aae8890fba08a5b40a83a814e4c74bf659 (diff)
download: paste-7c0b1546341ae5761701c4d667cbb6e87327ba19.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/paste/httpserver.py b/paste/httpserver.py
index 518bb21..bbd4913 100755
--- a/paste/httpserver.py
+++ b/paste/httpserver.py
@@ -17,7 +17,8 @@ if pyOpenSSL is installed, it also provides SSL capabilities.
 # @@: add support for chunked encoding, this is not a 1.1 server
 #     till this is completed.
 
-import socket, sys, threading, urlparse, Queue
+import socket, sys, threading, urlparse, Queue, urllib
+import posixpath
 from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 from SocketServer import ThreadingMixIn
 from paste.util import converters
@@ -160,6 +161,8 @@ class WSGIHandlerMixin:
         """
 
         (_, _, path, query, fragment) = urlparse.urlsplit(self.path)
+        path = urllib.unquote(path)
+        path = posixpath.normpath(path)
         (server_name, server_port) = self.server.server_address
 
         rfile = self.rfile
author	ianb <devnull@localhost>	2006-12-18 00:28:21 +0000
committer	ianb <devnull@localhost>	2006-12-18 00:28:21 +0000
commit	7c0b1546341ae5761701c4d667cbb6e87327ba19 (patch)
tree	ed070f240b8a249e2e407eecb1993ed558a58682 /paste/httpserver.py
parent	165668aae8890fba08a5b40a83a814e4c74bf659 (diff)
download	paste-7c0b1546341ae5761701c4d667cbb6e87327ba19.tar.gz