On Wed, Nov 2, 2016 at 12:52 PM, Eric S. Johansson <e...@harvee.org> wrote:
> So this brings me back to my question. What is missing in > SimpleHTTPServer to keep it from being secure enough? > There's no way to vet requests. You can't stop a request from accessing anything in the directory that SimpleHTTPServer is running in. I'm sure an enterprising individual could also probably access the shell session SimpleHTTPServer is running in as well. I haven't looked into the internals very much, but it is possible an attacker could use eval() to run a Python script sent in a request body. Not sure about that last one. I'll have to try it myself and report back. -- https://mail.python.org/mailman/listinfo/python-list
