@@ -112,7 +112,11 @@ def do_GET(self):
112112 else :
113113 rel_path = path .lstrip ("/" )
114114 # Directory traversal detection
115- if ".." in rel_path or rel_path .startswith ("/" ):
115+ if (
116+ ".." in rel_path .split (os .sep )
117+ or rel_path .startswith ("/" )
118+ or os .path .isabs (rel_path )
119+ ):
116120 logging .warning (
117121 f"[SECURITY] Directory traversal attempt: { self .path }
118122 )
@@ -230,14 +234,15 @@ def translate_path(self, path):
230234
231235 # Remove query and fragment
232236 safe_path = path .split ("?" , 1 )[0 ]
233- safe_path = path .split ("#" , 1 )[0 ]
237+ safe_path = safe_path .split ("#" , 1 )[0 ]
234238 safe_path = urllib .parse .unquote (safe_path , errors = "surrogatepass" )
235239 safe_path = posixpath .normpath (safe_path )
236240 # Prevent absolute paths and directory traversal
237241 if (
238242 safe_path .startswith (os .sep )
239243 or safe_path .startswith (".." )
240- or ".." in safe_path
244+ or ".." in safe_path .split (os .sep )
245+ or os .path .isabs (safe_path )
241246 ):
242247 logging .warning (
243248 f"[SECURITY] Attempted directory traversal or absolute path: { path }
@@ -410,6 +415,14 @@ def run(self):
410415 # Fallback for older Python: explicitly disable TLSv1 and TLSv1_1
411416 context .options |= getattr (ssl , "OP_NO_TLSv1" , 0 )
412417 context .options |= getattr (ssl , "OP_NO_TLSv1_1" , 0 )
418+ # If neither minimum_version nor options are available, raise error
419+ if not (
420+ getattr (ssl , "OP_NO_TLSv1" , None )
421+ and getattr (ssl , "OP_NO_TLSv1_1" , None )
422+ ):
423+ raise RuntimeError (
424+ "Python SSLContext does not support disabling TLSv1/TLSv1_1. Upgrade your Python/SSL."
425+ )
413426 context .load_cert_chain (certfile = cert_file , keyfile = key_file )
414427 self ._server .socket = context .wrap_socket (
415428 self ._server .socket , server_side = True
0 commit comments