[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2019-05-10 Thread Ned Deily
Change by Ned Deily : -- Removed message: https://bugs.python.org/msg342102 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2019-05-10 Thread Ned Deily
Ned Deily added the comment: New changeset 6f6bc1da8aaae52664e7747e328d26eb59c0e74f by larryhastings (Victor Stinner) in branch '3.4': bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782)

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-07-25 Thread Ned Deily
Changes by Ned Deily : -- versions: +Python 3.3, Python 3.4 ___ Python tracker ___ ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-07-25 Thread Ned Deily
Ned Deily added the comment: New changeset 7b92f9fa47df754b50c64aac84cf1c09693571af by Ned Deily (Victor Stinner) in branch '3.3': bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782) (#2860)

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-07-25 Thread STINNER Victor
Changes by STINNER Victor : -- pull_requests: +2911 ___ Python tracker ___ ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-07-12 Thread Larry Hastings
Larry Hastings added the comment: New changeset 6f6bc1da8aaae52664e7747e328d26eb59c0e74f by larryhastings (Victor Stinner) in branch '3.4': bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782)

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-07-11 Thread Larry Hastings
Larry Hastings added the comment: Will this be backported to 3.3 or 3.6? I don't see a PR or checkin for either of those versions on this issue, and both those versions are open for security fixes.b -- nosy: +larry ___ Python tracker

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-03-27 Thread STINNER Victor
Changes by STINNER Victor : -- pull_requests: +749 ___ Python tracker ___ ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2017-03-23 Thread STINNER Victor
Changes by STINNER Victor : -- pull_requests: +686 ___ Python tracker ___ ___

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-04-18 Thread Martin Panter
Martin Panter added the comment: Thanks for the report and the patch. -- resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-04-18 Thread Roundup Robot
Roundup Robot added the comment: New changeset 8054a68dfce2 by Martin Panter in branch '3.5': Issue #26657: Fix Windows directory traversal vulnerability with http.server https://hg.python.org/cpython/rev/8054a68dfce2 New changeset 5d8042ab3361 by Martin Panter in branch 'default': Issue

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-04-15 Thread Martin Panter
Martin Panter added the comment: I will try to commit my patch in a couple days if there are no objections. -- stage: patch review -> commit review ___ Python tracker

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-04-02 Thread Martin Panter
Martin Panter added the comment: Regarding the trailing slash: this is certainly inconsistent, but one call site of translate_path() appears to depend on this being a forward slash. There seems to be confusion about whether the output is an OS path or a URL. I think this is just more thing to

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-04-02 Thread Steve Dower
Steve Dower added the comment: Windows-only tests are fine, and certainly better than adding a new parameter just for testing. Forward slashes are valid path segment separators on Windows 99% of the time, so that'll be why nobody has complained. Personally I prefer consistency, but not

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-04-01 Thread Martin Panter
Martin Panter added the comment: Thomas: My check for os.path.devnull was just a half-hearted attempt to check for special device names like NUL on Windows. It is far from foolproof, and would fail my CON.fusion test that I mentioned above. Anyway, to address this specific bug it would be

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-29 Thread Xiang Zhang
Xiang Zhang added the comment: Url handling in http.server is not perfect and there have already been some issues talking about it, i.e, issue5714, issue14567. -- ___ Python tracker

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-29 Thread Thomas
Thomas added the comment: Martin Panter: Regarding the warning, you appear to be correct. However, reading the source of http.server again made me notice _url_collapse_path(path) which seems to have some overlap with translate_path. Also it crashes with an IndexError if path contains '..'.

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-28 Thread Martin Panter
Martin Panter added the comment: Thomas: can you point to the “warning that those modules are not secure in the module docs”? All I can see is a warning in the pydoc output for http.server.__doc__, but that is specifically about the CGI server. The specific bug with allowing c:c:c:.. looks

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-28 Thread Philipp Hagemeister
Philipp Hagemeister added the comment: Update testcase, and call split before splitdrive -- Added file: http://bugs.python.org/file42319/fix-path-traversal-26657.patch ___ Python tracker

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-28 Thread Philipp Hagemeister
Philipp Hagemeister added the comment: Please find attached a patch which adds a testcase for Windows (on all platforms) as well as code to fix the problem. Since os.path.split returns everything after the final slash/backslash, it only needs to be called once. Note that the usage of

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-28 Thread Xiang Zhang
Changes by Xiang Zhang : -- nosy: +xiang.zhang ___ Python tracker ___ ___ Python-bugs-list

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-28 Thread Thomas
New submission from Thomas: SimpleHTTPServer and http.server allow directory traversal on Windows. To exploit this vulnerability, replace all ".." in URLs with "c:c:c:..". Example: Run python -m http.server and visit 127.0.0.1:8000/c:c:c:../secret_file_that_should_be_secret_but_is_not.txt

[issue26657] Directory traversal with http.server and SimpleHTTPServer on windows

2016-03-28 Thread SilentGhost
Changes by SilentGhost : -- components: +Windows nosy: +martin.panter, paul.moore, steve.dower, tim.golden, zach.ware versions: +Python 3.5 ___ Python tracker