[issue11197] information leakage with SimpleHTTPServer

Ori Livneh added the comment: Yes, I seem to have gotten confused about this. Sorry for the confusion, and thanks for clearing it up. -- ___ Python tracker ___

[issue11197] information leakage with SimpleHTTPServer

Huzaifa Sidhpurwala added the comment: This should have been lynx localhost:8000/../../../../../../../../etc/passwd v/s lynx http://localhost:8000/../../../../../../../../etc/passwd -- ___ Python tracker __

[issue11197] information leakage with SimpleHTTPServer

Huzaifa Sidhpurwala added the comment: It seems python was being blamed for what is essentially the fault of lynx. The following would translate into browsing files locally from the system and not from the web: lynx http://localhost:8000/../../../../../../../../etc/passwd The correct syntax

[issue11197] information leakage with SimpleHTTPServer

Senthil Kumaran added the comment: The module documentation for the SimpleHTTPServer class says that. """ This class serves files from the current directory and below, directly mapping the directory structure to HTTP requests. """ As it is already documented. Nothing else needs to be d

[issue11197] information leakage with SimpleHTTPServer

Changes by engelbert gruber : -- nosy: +rhettinger ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.

[issue11197] information leakage with SimpleHTTPServer

engelbert gruber added the comment: My test setup: test.html 2.5/test.html 2.7/test.html in 2.5 and 2.7 execute :: python.exe -m SimpleHTTPServer 8000 ``http://localhost:8000/../`` shows the contents of the ``2.x`` directory. ``http://localhost:8000/../test.html`` shows the contents

[issue11197] information leakage with SimpleHTTPServer

engelbert gruber added the comment: SimpleHTTPServer does not exist in Python3.1 up instead http.server. All versions (3.x 2011-06-25) reply the contents from the served directory on a request of the upper directory and act similar with files. Maybe documentation needs an update documentation

[issue11197] information leakage with SimpleHTTPServer

Senthil Kumaran added the comment: Ori, which platform did you try to reproduce this issue. I tried in all active codelines (cpython to all through 2.5) from hg and can't able to reproduce this bug on Linux. If someone can reproduce, can you provide exact instructions. -- ___

[issue11197] information leakage with SimpleHTTPServer

Ori Livneh added the comment: I updated the patch, making the emendations suggested by Eric's review, and making a few additional changes. I was bothered that translate_path was duplicating functionality from _url_collapse_path_split, so I made some corrections to the latter and rewrote trans

[issue11197] information leakage with SimpleHTTPServer

Ori Livneh added the comment: I've attached my proposal for a fix. It's my first, so apologies if I've made a mistake somewhere. Senthil Kumaran, to whom the bug is currently assigned, kindly agreed to let me take a stab at it (thanks!). The approach I took was to normalize the path by replac

[issue11197] information leakage with SimpleHTTPServer

Changes by Ori Livneh : -- nosy: +Ori.Livneh ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue11197] information leakage with SimpleHTTPServer

Changes by Éric Araujo : -- nosy: +eric.araujo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pyth

[issue11197] information leakage with SimpleHTTPServer

Changes by John O'Connor : -- nosy: +jcon ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.or

[issue11197] information leakage with SimpleHTTPServer

Changes by Senthil Kumaran : -- assignee: -> orsenthil nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue11197] information leakage with SimpleHTTPServer

Gregory P. Smith added the comment: unassigning, i don't have time for this one right now. doubtful anyone is going to jump in for 3.2.1 given rc1 is being prepared right now. :) General recommendation: don't use SimpleHTTPServer in production. -- assignee: gregory.p.smith -> _

[issue11197] information leakage with SimpleHTTPServer

david added the comment: This may be stupid but... shouldn't the example be: lynx http://localhost:8000/../../../../../etc/passwd ... which does _not_ work. -- nosy: +db ___ Python tracker _

[issue11197] information leakage with SimpleHTTPServer

Georg Brandl added the comment: Lowering priority. -- priority: deferred blocker -> critical ___ Python tracker ___ ___ Python-bugs-l

[issue11197] information leakage with SimpleHTTPServer

Gregory P. Smith added the comment: Agreed, fixing this is going to be too complex for 3.2.0, it'll be done for 3.2.1. Reading over the http.server Simple and CGI HTTPRequestHandler code I see there many problems with the way this code does things today. General: * I'm not sure urllib.parse

[issue11197] information leakage with SimpleHTTPServer

Georg Brandl added the comment: This would be nice to fix in 3.2; however, since SimpleHTTPServer is not meant to be used in production, and it's not a regression, I will not hold up the release schedule for it. I'd need to see a patch for deciding. -- priority: release blocker -> de

[issue11197] information leakage with SimpleHTTPServer

Changes by Gregory P. Smith : -- assignee: -> gregory.p.smith nosy: +gregory.p.smith ___ Python tracker ___ ___ Python-bugs-list mail

[issue11197] information leakage with SimpleHTTPServer

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue11197] information leakage with SimpleHTTPServer

Dave Malcolm added the comment: CVE-2011-0705 -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue11197] information leakage with SimpleHTTPServer

New submission from Brett Cannon : As reported to the PSRT: Python's SimpleHTTPServer class is a simple HTTP server, documented as serving up the content of the pwd and below readonly via GET and HEAD commands: $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... However, by in