New submission from Brett Cannon <br...@python.org>: As reported to the PSRT:
Python's SimpleHTTPServer class is a simple HTTP server, documented as serving up the content of the pwd and below readonly via GET and HEAD commands: $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... However, by inserting "../" path fragments within the path section of the URL, it's possible to traverse other directories within the filesystem. For example: lynx localhost:8000/../../../../.. shows 5 directories above in the directory structure. I was also able to browse /proc and /sys on this example using: lynx localhost:8000/../../../../../../../../proc lynx localhost:8000/../../../../../../../../sys (by browsing to find the correct number of ".." entries to locate the root directory); arguable this could be leaking much more information about the host than the administrator might be expecting (e.g. other programs being executed on the host, command-line arguments of those programs etc) This has been fixed in CGIHTTPServer; see http://bugs.python.org/issue2254 and: http://svn.python.org/view?view=rev&revision=71303 Guido recommended to not make this secret since no one should be using SimpleHTTPServer in production. He also said this should get fixed. ---------- components: Library (Lib) messages: 128420 nosy: barry, benjamin.peterson, brett.cannon, dmalcolm, georg.brandl, gps priority: release blocker severity: normal stage: needs patch status: open title: information leakage with SimpleHTTPServer type: security versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11197> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
