Address vstinner comments on the test.

make the base urls, attack urls, and expected_location more clear in the test. Adds an additional test for a triple-slash path to ensure we're not only treating double slashes as special.
python · gpshead · Jun 21, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022
commit 25a3a1c4188fb8f50bb7dd07c9ccdb7c9c8a654f
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
@@ -421,25 +421,32 @@ def test_undecodable_filename(self):
     def test_get_dir_redirect_location_domain_injection_bug(self):
         """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
 
-        //domain/ in a Location header is a redirect to a new domain name.
+        //netloc/ in a Location header is a redirect to a new host.
         https://github.com/python/cpython/issues/87389
 
         This checks that a path resolving to a directory on our server cannot
-        resolve into a redirect to another server telling it that the
-        directory in question exists on the Referrer server.
+        resolve into a redirect to another server.
         """
         os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
+        url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
         # Canonicalizes to /tmp/tempdir_name/existing_directory which does
         # exist and is a dir, triggering the 301 redirect and former bug.
-        attack_url = f'//python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
+        attack_url = f'/{url}'  # //python.org... multi-slash prefix, no trailing slash
+        expected_location = f'{url}/'  # /python.org.../ single slash single prefix, trailing slash
+
         response = self.request(attack_url)
         self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
         location = response.getheader('Location')
         self.assertFalse(location.startswith('//'), msg=location)
-        self.assertEqual(location, f'/{attack_url.lstrip("/")}/',
+        self.assertEqual(location, expected_location,
                 msg='Expected Location header to start with a single / and '
                 'end with a / as this is a directory redirect.')
 
+        attack3_url = f'//{url}'  # ///python.org... triple-slash prefix, no trailing slash
+        response = self.request(attack3_url)
+        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+        self.assertEqual(response.getheader('Location'), expected_location)
+
     def test_get(self):
         #constructs the path relative to the root directory of the HTTPServer
         response = self.request(self.base_url + '/test')