[issue11197] information leakage with SimpleHTTPServer
Gregory P. Smith
report at bugs.python.org
Sun Feb 13 06:42:13 CET 2011
Gregory P. Smith <greg at krypto.org> added the comment:
Agreed, fixing this is going to be too complex for 3.2.0, it'll be done for 3.2.1.
Reading over the http.server Simple and CGI HTTPRequestHandler code I see there many problems with the way this code does things today.
* I'm not sure urllib.parse.unquote() is called on the path in the correct place all the time. Studying of some RFCs will be required to confirm that. Specifically the CGI handler unquotes the path before fixing it up. The Simple handler never unquotes the path.
Simple (and subclasses such as CGI):
* The mentioned directory traversal vulnerability.
* The _url_collapse_path_split called by is_cgi lets os.sep's through unchecked so a request for /foo/bar\..\..\..\..\..\../ for example should still find its way out on windows. issue2254 wasn't 100% fixed.
* _url_collapse_path_split should really ignore the query string and anchor; though the way it is used it likely just wastes time processing them and discarding the result.
* It uses fork() + execve() on posix systems. It should always use subprocess instead in order to be thread safe.
The first thing I'll be doing is coming up with test cases demonstrating each of these issues.
versions: -Python 2.5
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list