classification
Title: list_directory() in SimpleHTTPServer.py should add charset=... to Content-type header
Type: security Stage: resolved
Components: Versions: Python 2.7, Python 2.6, Python 2.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: Tom.N, barry, benjamin.peterson, gvanrossum, orsenthil, pitrou, python-dev
Priority: Keywords: patch

Created on 2011-03-08 19:05 by gvanrossum, last changed 2012-06-27 14:56 by gvanrossum. This issue is now closed.

Files
File name Uploaded Description Edit
SimpleHTTPServer-fix-2.7.patch Tom.N, 2011-03-17 00:18 Patch to make SimpleHTTPServer report the correct content type header in listings.
Messages (13)
msg130347 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2011-03-08 19:05
The security list received a report about SimpleHTTPServer's list_directory(). It needs to add a charset parameter to the Content-type header. This is already done in Python 3 (where this code lives in http/server.py) but not in any Python 2 versions I can find. A simple backport of the code in Python 3 should hopefully suffice.

I'm marking this tentatively as a release blocker, but I don't see it's necessary to issue an urgent release. It should just be fixed before the next scheduled releases of 2.5, 2.6, 2.7.
msg130348 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-03-08 19:09
> It needs to add a charset parameter to the Content-type header.

What is the rationale?
msg130349 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2011-03-08 19:14
>> It needs to add a charset parameter to the Content-type header.
>
> What is the rationale?

Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks.
msg131200 - (view) Author: Thomas Nixon (Tom.N) Date: 2011-03-17 00:18
I have backported the code from python 3, to apply to the current 2.7 branch. All tests pass, and my machine reports "Content-type: text/html; charset=UTF-8", which appears to be correct.
msg131205 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2011-03-17 00:54
Looks good, this should be committed to the 2.5 branch first, then
merged to 2.6, then to 2.7.
msg131228 - (view) Author: Roundup Robot (python-dev) Date: 2011-03-17 06:49
New changeset e9724d7abbc2 by Senthil Kumaran in branch '2.5':
Fix issue11442 - Add a charset parameter to the Content-type to avoid XSS attacks.
http://hg.python.org/cpython/rev/e9724d7abbc2
msg131231 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2011-03-17 07:06
Fixed in all the relevant code lines.
msg131707 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2011-03-21 23:26
Thanks Senthil!
msg133938 - (view) Author: Roundup Robot (python-dev) Date: 2011-04-17 21:01
New changeset bb1695c6cea1 by Martin v. Löwis in branch '2.5':
Issue 11442: Add NEWS entry for e9724d7abbc2
http://hg.python.org/cpython/rev/bb1695c6cea1
msg136400 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-05-20 20:23
Senthil, I just want to verify.  You applied this patch to the Python 2.6 branch in hg, but not in svn, correct?  Since I'm going to be making the 2.6.7 release from svn, I am porting this patch over to the svn 2.6 branch.  You don't have to do that, but if you can just confirm it, that would be great.
msg136403 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2011-05-20 22:07
Let me confirm that. Since it is a security patch the entire point of it is to be placed in the release.

I don't want to question the reasons for doing the release from svn instead of from hg, but I do want to emphasize that the hg branch ought to be considered the master which svn should track as closely as possible.  The only reason to not port a patch to the svn branch would be if it was submitted to the hg branch in contradiction with some policy (e.g. a non-security fix to a branch that should only receive security fixes), and then it should probably be rolled back in the hg branch (and the decision to do so should be very visible on python-dev).
msg136404 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-05-20 22:37
On May 20, 2011, at 10:07 PM, Guido van Rossum wrote:

>
>Guido van Rossum <guido@python.org> added the comment:
>
>Let me confirm that. Since it is a security patch the entire point of it is
>to be placed in the release.

Cool, I've ported it over to svn.

>I don't want to question the reasons for doing the release from svn instead
>of from hg, but I do want to emphasize that the hg branch ought to be
>considered the master which svn should track as closely as possible.  The
>only reason to not port a patch to the svn branch would be if it was
>submitted to the hg branch in contradiction with some policy (e.g. a
>non-security fix to a branch that should only receive security fixes), and
>then it should probably be rolled back in the hg branch (and the decision to
>do so should be very visible on python-dev).

I'm okay with that.  Right now I can't push my reconciled hg repo though
because line ending changes were committed to various files in hg but not
svn.  I don't think they're appropriate frankly, but rolling them back causes
hg push to fail.

Antoine suggested whitelisting those files in .hgeol, which I'll investigate.
msg164163 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2012-06-27 14:56
For posterity, according to the red hat tracker at https://bugzilla.redhat.com/show_bug.cgi?id=803500 this issue has been assigned a CVE number: CVE-2011-4940
History
Date User Action Args
2012-06-27 14:56:12gvanrossumsetmessages: + msg164163
2011-05-20 22:37:02barrysetmessages: + msg136404
2011-05-20 22:07:33gvanrossumsetmessages: + msg136403
2011-05-20 20:23:50barrysetmessages: + msg136400
2011-04-17 21:01:36python-devsetmessages: + msg133938
2011-03-21 23:26:11gvanrossumsetnosy: gvanrossum, barry, orsenthil, pitrou, benjamin.peterson, Tom.N, python-dev
messages: + msg131707
2011-03-17 07:06:12orsenthilsetstatus: open -> closed
priority: release blocker ->

assignee: orsenthil
nosy: gvanrossum, barry, orsenthil, pitrou, benjamin.peterson, Tom.N, python-dev
messages: + msg131231
resolution: fixed
stage: needs patch -> resolved
2011-03-17 06:49:53python-devsetnosy: + python-dev
messages: + msg131228
2011-03-17 00:54:21gvanrossumsetnosy: gvanrossum, barry, orsenthil, pitrou, benjamin.peterson, Tom.N
messages: + msg131205
2011-03-17 00:18:45Tom.Nsetfiles: + SimpleHTTPServer-fix-2.7.patch

nosy: + Tom.N
messages: + msg131200

keywords: + patch
2011-03-08 19:14:21gvanrossumsetnosy: gvanrossum, barry, orsenthil, pitrou, benjamin.peterson
messages: + msg130349
2011-03-08 19:09:04pitrousetnosy: + pitrou, orsenthil
messages: + msg130348
2011-03-08 19:05:15gvanrossumcreate