[New-bugs-announce] [issue38230] A Path Traversal vulnerability in ssl_servers.py
longwenzhang
report at bugs.python.org
Fri Sep 20 08:47:45 EDT 2019
New submission from longwenzhang <pakecalvs at outlook.com>:
There is a Path Traversal vulnerability in https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py (on windows platform), Steps to reproduce:
1.Run the script https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py
2.If you visit the https://127.0.0.1:4433/ , you will see the files in the current directory,
But if you visit the https://127.0.0.1:4433/c:../,you will jump to parent directory, and if you visit https://127.0.0.1:4433/d:../ , you will see the files of D:\
3.I'm sure it’s a Path Traversal and I think the problem is at https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py#L71 , there is no check about “word”.
----------
components: Tests
messages: 352844
nosy: longwenzhang
priority: normal
severity: normal
status: open
title: A Path Traversal vulnerability in ssl_servers.py
type: security
versions: Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38230>
_______________________________________
More information about the New-bugs-announce
mailing list