[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Change by Ned Deily : -- Removed message: https://bugs.python.org/msg342102 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Ned Deily added the comment: New changeset 6f6bc1da8aaae52664e7747e328d26eb59c0e74f by larryhastings (Victor Stinner) in branch '3.4': bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) https://github.com/python/cpython/commit/6f6bc1da8aaae52664e7747e328d26eb59c0

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Changes by Ned Deily : -- versions: +Python 3.3, Python 3.4 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: htt

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Ned Deily added the comment: New changeset 7b92f9fa47df754b50c64aac84cf1c09693571af by Ned Deily (Victor Stinner) in branch '3.3': bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) (#2860) https://github.com/python/cpython/commit/7b92f9fa47df754b50c64aac84cf1c096

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Changes by STINNER Victor : -- pull_requests: +2911 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Larry Hastings added the comment: New changeset 6f6bc1da8aaae52664e7747e328d26eb59c0e74f by larryhastings (Victor Stinner) in branch '3.4': bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) https://github.com/python/cpython/commit/6f6bc1da8aaae52664e7747e328d26eb5

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Larry Hastings added the comment: Will this be backported to 3.3 or 3.6? I don't see a PR or checkin for either of those versions on this issue, and both those versions are open for security fixes.b -- nosy: +larry ___ Python tracker

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Changes by STINNER Victor : -- pull_requests: +749 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Changes by STINNER Victor : -- pull_requests: +686 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Martin Panter added the comment: Thanks for the report and the patch. -- resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Roundup Robot added the comment: New changeset 8054a68dfce2 by Martin Panter in branch '3.5': Issue #26657: Fix Windows directory traversal vulnerability with http.server https://hg.python.org/cpython/rev/8054a68dfce2 New changeset 5d8042ab3361 by Martin Panter in branch 'default': Issue #26657:

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Martin Panter added the comment: I will try to commit my patch in a couple days if there are no objections. -- stage: patch review -> commit review ___ Python tracker ___ ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Martin Panter added the comment: Regarding the trailing slash: this is certainly inconsistent, but one call site of translate_path() appears to depend on this being a forward slash. There seems to be confusion about whether the output is an OS path or a URL. I think this is just more thing to

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Steve Dower added the comment: Windows-only tests are fine, and certainly better than adding a new parameter just for testing. Forward slashes are valid path segment separators on Windows 99% of the time, so that'll be why nobody has complained. Personally I prefer consistency, but not strong

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Thomas added the comment: Looks ok to me security-wise. But I just noticed that it the trailing slash is inconsistent on Windows, e.g.: translate_path('asdf/') == 'C:\\Users\\User\\Desktop\\temp\\asdf/' <- this slash because path += '/' is used instead of os.path.sep. But apparently nobody co

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Martin Panter added the comment: Thomas: My check for os.path.devnull was just a half-hearted attempt to check for special device names like NUL on Windows. It is far from foolproof, and would fail my CON.fusion test that I mentioned above. Anyway, to address this specific bug it would be bett

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Xiang Zhang added the comment: Url handling in http.server is not perfect and there have already been some issues talking about it, i.e, issue5714, issue14567. -- ___ Python tracker ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Thomas added the comment: Martin Panter: Regarding the warning, you appear to be correct. However, reading the source of http.server again made me notice _url_collapse_path(path) which seems to have some overlap with translate_path. Also it crashes with an IndexError if path contains '..'. Also,

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Martin Panter added the comment: Thomas: can you point to the “warning that those modules are not secure in the module docs”? All I can see is a warning in the pydoc output for http.server.__doc__, but that is specifically about the CGI server. The specific bug with allowing c:c:c:.. looks lik

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Philipp Hagemeister added the comment: Update testcase, and call split before splitdrive -- Added file: http://bugs.python.org/file42319/fix-path-traversal-26657.patch ___ Python tracker ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Philipp Hagemeister added the comment: Please find attached a patch which adds a testcase for Windows (on all platforms) as well as code to fix the problem. Since os.path.split returns everything after the final slash/backslash, it only needs to be called once. Note that the usage of posixpath

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Changes by Xiang Zhang : -- nosy: +xiang.zhang ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pyt

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

New submission from Thomas: SimpleHTTPServer and http.server allow directory traversal on Windows. To exploit this vulnerability, replace all ".." in URLs with "c:c:c:..". Example: Run python -m http.server and visit 127.0.0.1:8000/c:c:c:../secret_file_that_should_be_secret_but_is_not.txt The

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

Changes by SilentGhost : -- components: +Windows nosy: +martin.panter, paul.moore, steve.dower, tim.golden, zach.ware versions: +Python 3.5 ___ Python tracker ___ ___