[issue11197] information leakage with SimpleHTTPServer
Ori Livneh ori.liv...@gmail.com added the comment: Yes, I seem to have gotten confused about this. Sorry for the confusion, and thanks for clearing it up. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Huzaifa Sidhpurwala sidhpurwala.huza...@gmail.com added the comment: It seems python was being blamed for what is essentially the fault of lynx. The following would translate into browsing files locally from the system and not from the web: lynx http://localhost:8000/../../../../../../../../etc/passwd The correct syntax for testing should have been: lynx http://localhost:8000/../../../../../../../../etc/passwd -- nosy: +Huzaifa.Sidhpurwala ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Huzaifa Sidhpurwala sidhpurwala.huza...@gmail.com added the comment: This should have been lynx localhost:8000/../../../../../../../../etc/passwd v/s lynx http://localhost:8000/../../../../../../../../etc/passwd -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Senthil Kumaran sent...@uthcode.com added the comment: The module documentation for the SimpleHTTPServer class says that. This class serves files from the current directory and below, directly mapping the directory structure to HTTP requests. As it is already documented. Nothing else needs to be done for this report. Closing this one. Thanks! -- resolution: - invalid stage: needs patch - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
engelbert gruber grub...@users.sourceforge.net added the comment: SimpleHTTPServer does not exist in Python3.1 up instead http.server. All versions (3.x 2011-06-25) reply the contents from the served directory on a request of the upper directory and act similar with files. Maybe documentation needs an update documentation. -- nosy: +grubert versions: -Python 3.1, Python 3.2, Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
engelbert gruber grub...@users.sourceforge.net added the comment: My test setup: test.html 2.5/test.html 2.7/test.html in 2.5 and 2.7 execute :: python.exe -m SimpleHTTPServer 8000 ``http://localhost:8000/../`` shows the contents of the ``2.x`` directory. ``http://localhost:8000/../test.html`` shows the contents of the file in the ``2.x`` directory not the one in the upper. Should be closed. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by engelbert gruber grub...@users.sourceforge.net: -- nosy: +rhettinger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Senthil Kumaran sent...@uthcode.com added the comment: Ori, which platform did you try to reproduce this issue. I tried in all active codelines (cpython to all through 2.5) from hg and can't able to reproduce this bug on Linux. If someone can reproduce, can you provide exact instructions. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Ori Livneh ori.liv...@gmail.com added the comment: I updated the patch, making the emendations suggested by Eric's review, and making a few additional changes. I was bothered that translate_path was duplicating functionality from _url_collapse_path_split, so I made some corrections to the latter and rewrote translate_path so that it uses _url_collapse_path_split and implements only the checks necessary for translating the path to a path on the local file system path. translate_path relies on os.path to make sure the path is safe, which is (I think) also the proper way to do things, since it's not good to have to remember to update path semantics in http.server if Python is ported to additional platforms. I also read the various specs and made sure entities are unquoted at the appropriate point. -- Added file: http://bugs.python.org/file22338/translate_path_rev2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by Ori Livneh ori.liv...@gmail.com: -- nosy: +Ori.Livneh ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Ori Livneh ori.liv...@gmail.com added the comment: I've attached my proposal for a fix. It's my first, so apologies if I've made a mistake somewhere. Senthil Kumaran, to whom the bug is currently assigned, kindly agreed to let me take a stab at it (thanks!). The approach I took was to normalize the path by replacing each of os.sep and os.altsep with slashes if (a) these characters are present in the path component and (b) the operating system is such that os.sep or os.altsep != '/'. (Currently, os.altsep is either None or '/' on all systems, but it seemed like a good idea to check anyway.) Requesting a relative path which, when translated, would point above the current working directory (e.g. http://localhost:8000/../) causes the server to return a 400 error, which is just how Apache responds to such requests. Internal calls to translate_path with such malformed paths cause translate_path to raise an IndexError, which is consistent with how _url_collapse_path_split (used by CGIRequestHandler) handles them. -- keywords: +patch Added file: http://bugs.python.org/file22260/translate_path.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by Éric Araujo mer...@netwok.org: -- nosy: +eric.araujo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by John O'Connor tehj...@gmail.com: -- nosy: +jcon ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by Senthil Kumaran sent...@uthcode.com: -- assignee: - orsenthil nosy: +orsenthil ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Gregory P. Smith g...@krypto.org added the comment: unassigning, i don't have time for this one right now. doubtful anyone is going to jump in for 3.2.1 given rc1 is being prepared right now. :) General recommendation: don't use SimpleHTTPServer in production. -- assignee: gregory.p.smith - ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
david db.pub.m...@gmail.com added the comment: This may be stupid but... shouldn't the example be: lynx http://localhost:8000/../../../../../etc/passwd ... which does _not_ work. -- nosy: +db ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Georg Brandl ge...@python.org added the comment: Lowering priority. -- priority: deferred blocker - critical ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Gregory P. Smith g...@krypto.org added the comment: Agreed, fixing this is going to be too complex for 3.2.0, it'll be done for 3.2.1. Reading over the http.server Simple and CGI HTTPRequestHandler code I see there many problems with the way this code does things today. General: * I'm not sure urllib.parse.unquote() is called on the path in the correct place all the time. Studying of some RFCs will be required to confirm that. Specifically the CGI handler unquotes the path before fixing it up. The Simple handler never unquotes the path. Simple (and subclasses such as CGI): * The mentioned directory traversal vulnerability. CGI: * The _url_collapse_path_split called by is_cgi lets os.sep's through unchecked so a request for /foo/bar\..\..\..\..\..\../ for example should still find its way out on windows. issue2254 wasn't 100% fixed. * _url_collapse_path_split should really ignore the query string and anchor; though the way it is used it likely just wastes time processing them and discarding the result. * It uses fork() + execve() on posix systems. It should always use subprocess instead in order to be thread safe. The first thing I'll be doing is coming up with test cases demonstrating each of these issues. -- versions: -Python 2.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
New submission from Brett Cannon br...@python.org: As reported to the PSRT: Python's SimpleHTTPServer class is a simple HTTP server, documented as serving up the content of the pwd and below readonly via GET and HEAD commands: $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... However, by inserting ../ path fragments within the path section of the URL, it's possible to traverse other directories within the filesystem. For example: lynx localhost:8000/../../../../.. shows 5 directories above in the directory structure. I was also able to browse /proc and /sys on this example using: lynx localhost:8000/../../../../../../../../proc lynx localhost:8000/../../../../../../../../sys (by browsing to find the correct number of .. entries to locate the root directory); arguable this could be leaking much more information about the host than the administrator might be expecting (e.g. other programs being executed on the host, command-line arguments of those programs etc) This has been fixed in CGIHTTPServer; see http://bugs.python.org/issue2254 and: http://svn.python.org/view?view=revrevision=71303 Guido recommended to not make this secret since no one should be using SimpleHTTPServer in production. He also said this should get fixed. -- components: Library (Lib) messages: 128420 nosy: barry, benjamin.peterson, brett.cannon, dmalcolm, georg.brandl, gps priority: release blocker severity: normal stage: needs patch status: open title: information leakage with SimpleHTTPServer type: security versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Dave Malcolm dmalc...@redhat.com added the comment: CVE-2011-0705 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Changes by Gregory P. Smith g...@krypto.org: -- assignee: - gregory.p.smith nosy: +gregory.p.smith ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11197] information leakage with SimpleHTTPServer
Georg Brandl ge...@python.org added the comment: This would be nice to fix in 3.2; however, since SimpleHTTPServer is not meant to be used in production, and it's not a regression, I will not hold up the release schedule for it. I'd need to see a patch for deciding. -- priority: release blocker - deferred blocker ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11197 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
