[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows
Martin Panter
report at bugs.python.org
Mon Mar 28 19:02:38 EDT 2016
Martin Panter added the comment:
Thomas: can you point to the “warning that those modules are not secure in the module docs”? All I can see is a warning in the pydoc output for http.server.__doc__, but that is specifically about the CGI server.
The specific bug with allowing c:c:c:.. looks like it would have been triggered by fixing Issue 19456. If so, 2.7 would also be affected.
The whole translate_path() algorithm looks over-complicated to me. One quick idea that comes to mind is to skip (or diagnose) each whole URL path component if there is any drive, directory etc syntax present, rather than making an attempt to strip it off. Perhaps check with os.path.dirname() or pathlib’s is_reserved().
One other thing I have wondered about, but I don’t know Windows well enough to be sure. Shouldn’t there be some protection against accessing special files like <http://127.0.0.1:8000/con.fusion>?
Ideally, I would like to see a common function somewhere to do this kind of path validation and conversion. There are other places even in the standard library where this is needed, which I mentioned at <https://bugs.python.org/issue21109#msg216675>.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26657>
_______________________________________
More information about the Python-bugs-list
mailing list