On Thu, Jun 7, 2018 at 7:29 PM, Marko Rauhamaa <ma...@pacujo.net> wrote: > This is a security risk. Here is a brief demonstration. Copy the example > HTTP server from: > > <URL: https://docs.python.org/3/library/http.server.html?highlight=h > ttp#http.server.SimpleHTTPRequestHandler> > > Run the server. Try these URLs in your browser: > > 1. http://localhost:8000/ > > => The directory listing is provided > > 2. http://localhost:8000/test.html > > => A file is served or an HTTP error response (404) is generated > > 3. http://localhost:8000/te%00st.html > > => The server crashes with a ValueError and the TCP connection is > reset >
Actually, I couldn't even get Chrome to make that request, so it obviously was considered by the browser to be invalid. Doing the request with curl produced a traceback on the server and an empty response in the client. (And then the server returns to handling requests normally.) How is this a security risk, exactly? To be fair, it's somewhat unideal behaviour - I would prefer to see an HTTP 500 come back if the server crashes - but I can't see that that's a security problem. Just a QOS issue, wherein you might get a 500 rather than a 404 for certain requests. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
