subject:"\[issue32084\] \[Security\] http.server can be abused to redirect to \(almost\) arbitrary URL"

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2021-05-21 Thread Ned Deily

Ned Deily added the comment: This looks like a duplicate of Issue43223 which has a PR in progress. -- nosy: +ned.deily resolution: -> duplicate stage: -> resolved status: open -> closed superseder: -> [security] http.server: Open Redirection if the URL path starts with //

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2019-08-14 Thread Ashwin Ramaswami

Change by Ashwin Ramaswami : -- nosy: +epicfaace ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2018-07-30 Thread Martin Panter

Martin Panter added the comment: In Issue 34276 I suggested a fix to “urlunsplit”. In this case it would send “Location: www.python.org/%2f../", with an extra pair of slashes denoting an empty host name. This should stop a browser from seeing “www.python.org” as a host name. --

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2017-11-25 Thread Martin Panter

Martin Panter added the comment: Maybe a good fix would be to “escape” the double slash with “/.”: if os.path.isdir(path): url = self.path if url.startswith('//'): # E.g. "//www.python.org/%2f.." url = "/." + url # Becomes "/.//www.python.org/%2f.."

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2017-11-20 Thread STINNER Victor

STINNER Victor added the comment: I wrote this patch, but I'm not sure that it's ok to always reject redirection URLs starting with //: diff --git a/Lib/http/server.py b/Lib/http/server.py index 502bce0c7a..494031b8c2 100644 --- a/Lib/http/server.py +++

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2017-11-20 Thread STINNER Victor

STINNER Victor added the comment: Extract of send_head(): path = self.translate_path(self.path) f = None if os.path.isdir(path): parts = urllib.parse.urlsplit(self.path) ...

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

2017-11-20 Thread STINNER Victor

New submission from STINNER Victor : iDer reported a vulnerability in the HTTP server. (1) Start a local HTTP server (listen to tcp/8000): python3 -m http.server 8000 (2) Open a web browser and to go: http://localhost:8000//www.python.org/%2f.. => the browser is

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

[issue32084] [Security] http.server can be abused to redirect to (almost) arbitrary URL

7 matches

Site Navigation

Mail list logo

Footer information