From 7c0b1546341ae5761701c4d667cbb6e87327ba19 Mon Sep 17 00:00:00 2001
From: ianb <devnull@localhost>
Date: Mon, 18 Dec 2006 00:28:21 +0000
Subject: Security fix for StaticURLParser, plus unquote SCRIPT_NAME and
 PATH_INFO, plus don't double-unquote in StaticURLParser

---
 paste/httpserver.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'paste/httpserver.py')

diff --git a/paste/httpserver.py b/paste/httpserver.py
index 518bb21..bbd4913 100755
--- a/paste/httpserver.py
+++ b/paste/httpserver.py
@@ -17,7 +17,8 @@ if pyOpenSSL is installed, it also provides SSL capabilities.
 # @@: add support for chunked encoding, this is not a 1.1 server
 #     till this is completed.
 
-import socket, sys, threading, urlparse, Queue
+import socket, sys, threading, urlparse, Queue, urllib
+import posixpath
 from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 from SocketServer import ThreadingMixIn
 from paste.util import converters
@@ -160,6 +161,8 @@ class WSGIHandlerMixin:
         """
 
         (_, _, path, query, fragment) = urlparse.urlsplit(self.path)
+        path = urllib.unquote(path)
+        path = posixpath.normpath(path)
         (server_name, server_port) = self.server.server_address
 
         rfile = self.rfile
-- 
cgit v1.2.1