Sorry, something went wrong.
There was a problem hiding this comment.
Can you please try to write an unit test?
Sorry, something went wrong.
|
This PR is stale because it has been open for 30 days with no activity. |
Sorry, something went wrong.
|
Sorry I was busy with my other projects. |
Sorry, something went wrong.
|
Since I'm new to writing test cases, please help me in correcting the code if something went wrong. |
Sorry, something went wrong.
|
@vstinner please have a look at the unit test. |
Sorry, something went wrong.
|
|
||
| def test_http_parse_request(self): | ||
| self.assertEqual(re.sub(r'^/+', '/', '//test.com'), '/test.com', '//test.com should be converted to a proper relative path') | ||
| self.assertEqual(re.sub(r'^/+', '/', '///test.com'), '/test.com', '///test.com should be converted to a proper relative path') |
There was a problem hiding this comment.
This doesn't test anything useful. It only checks that some regular expression matches two strings. Since your code change is in http.server, your test should execute the http.server path that you changed.
A good test should fail without your code change to http.server, and pass with your change.
Sorry, something went wrong.
There was a problem hiding this comment.
Sorry I've been away due to my workload. But now as I've got some spare time I can do it better. As I've already said earlier that I'm new to writing these test cases and after checking out your comment I'm still confused about your requirements
Can you please elaborate these two statements:
Since your code change is in http.server, your test should execute the http.server path that you changed.
and this one:
A good test should fail without your code change to http.server, and pass with your change.
Sorry, something went wrong.
There was a problem hiding this comment.
@hamzaavvan, to put it in the simplest terms:
The test will have to actually run the HTTP server to be useful.
Sorry, something went wrong.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request. |
Sorry, something went wrong.
|
I've lost access to my account 😥 replying from email..
…On Fri, Apr 8, 2022, 6:26 PM Jakub Hadvig ***@***.***> wrote:
@hamzaavvan <https://github.com/hamzaavvan> ping :)
—
Reply to this email directly, view it on GitHub
<#24848 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACNY3RNMO7QIH6RKTIMDD53VEAXYXANCNFSM4ZEGXF4Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sorry, something went wrong.
Due to no protection against multiple (/) at the beginning of a url an attacker could achieve an open redirection by crafting a malformed URI followed by an existing directory.
Payload: http://127.0.0.1:8000//attacker.com/..%2f..%2f../anyexistingdirectory
The main reason behind open redirection is that there's no (/) at the end of anyexistingdirectory because the server is checking for the path supplied is a valid directory at send_head() method from Lib/http/server.py. Right after that, it's checking for the path ending with a (/) or not. So, if there's no (/) at the end of the path then the server will issue a Location header to redirect the web client to that specific directory.
While issuing the redirection, this part //attacker.com/..%2f..%2f../anyexistingdirectory will be sent to the Location header's value due to which any web client or browser will consider it as a new url because of multiple (/) at the beginning of the path.
So to mitigate this issue I decided to use regex to replace all the occurrences of (/) from the beginning of the path.
This regex will replace multiple entries (if present) of (/) or (\) from the beginning of the path. So that the path would be:
And according to these test cases there was no redirection issued from the server after implementing the fix.
https://bugs.python.org/issue43223