On Thu, Jun 7, 2018 at 10:18 PM, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > On Thu, 07 Jun 2018 13:47:07 +0300, Marko Rauhamaa wrote: > >> Chris Angelico <ros...@gmail.com>: >> >>> On Thu, Jun 7, 2018 at 7:29 PM, Marko Rauhamaa <ma...@pacujo.net> >>> wrote: >>>> 3. http://localhost:8000/te%00st.html >>>> >>>> => The server crashes with a ValueError and the TCP connection is >>>> reset >>>> >>>> >>> Actually, I couldn't even get Chrome to make that request, so it >>> obviously was considered by the browser to be invalid. >> >> Wow! Why on earth? > > It works in Firefox, but Apache truncates the URL: > > > Not Found > The requested URL /te was not found on this server. > > > instead of te%00st.html > > I wonder how many publicly facing web servers can be induced to either > crash, or serve the wrong content, this way? >
Define "serve the wrong content". You could get the exact same content by asking for "te" instead of "te%00st.html"; what you've done is not significantly different from this: http://localhost:8000/te?st.html Is that a security problem too? ChrisA -- https://mail.python.org/mailman/listinfo/python-list
