On 2018-06-08 03:42, Chris Angelico wrote: > Apart from the one odd bug with SimpleHTTPServer not properly sending > back 500s, I very much doubt that the original concern - namely that > os.path.exists() and os.stat() raise ValueError if therels a %00 in > the URL - can be abused effectively. Dismissing HTTP 500s as "not a vulnerability" sounds reasonable enough to me. But you're assuming that all other expressions of this bug in applications will be at least as benign. I'm not sure that that's warranted.
signature.asc
Description: OpenPGP digital signature
-- https://mail.python.org/mailman/listinfo/python-list
