The security list received a report about SimpleHTTPServer's list_directory(). It needs to add a charset parameter to the Content-type header. This is already done in Python 3 (where this code lives in http/server.py) but not in any Python 2 versions I can find. A simple backport of the code in Python 3 should hopefully suffice.

I'm marking this tentatively as a release blocker, but I don't see it's necessary to issue an urgent release. It should just be fixed before the next scheduled releases of 2.5, 2.6, 2.7.

> It needs to add a charset parameter to the Content-type header.

What is the rationale?

>> It needs to add a charset parameter to the Content-type header.
>
> What is the rationale?

Without a charset parameter, IE7 engages in encoding-sniffing and can
be enticed to interpret the output as UTF7. This allows an attacker to
hide e.g. <script> tags in UTF-7 encoded characters which do not get
quoted by cgi.encode(). This allows XSS attacks.

I have backported the code from python 3, to apply to the current 2.7 branch. All tests pass, and my machine reports "Content-type: text/html; charset=UTF-8", which appears to be correct.

Looks good, this should be committed to the 2.5 branch first, then
merged to 2.6, then to 2.7.

New changeset e9724d7abbc2 by Senthil Kumaran in branch '2.5':
Fix issue11442 - Add a charset parameter to the Content-type to avoid XSS attacks.
http://hg.python.org/cpython/rev/e9724d7abbc2

Fixed in all the relevant code lines.

Thanks Senthil!

New changeset bb1695c6cea1 by Martin v. Löwis in branch '2.5':
Issue 11442: Add NEWS entry for e9724d7abbc2
http://hg.python.org/cpython/rev/bb1695c6cea1

Senthil, I just want to verify.  You applied this patch to the Python 2.6 branch in hg, but not in svn, correct?  Since I'm going to be making the 2.6.7 release from svn, I am porting this patch over to the svn 2.6 branch.  You don't have to do that, but if you can just confirm it, that would be great.

Let me confirm that. Since it is a security patch the entire point of it is to be placed in the release.

I don't want to question the reasons for doing the release from svn instead of from hg, but I do want to emphasize that the hg branch ought to be considered the master which svn should track as closely as possible.  The only reason to not port a patch to the svn branch would be if it was submitted to the hg branch in contradiction with some policy (e.g. a non-security fix to a branch that should only receive security fixes), and then it should probably be rolled back in the hg branch (and the decision to do so should be very visible on python-dev).

On May 20, 2011, at 10:07 PM, Guido van Rossum wrote:

>
>Guido van Rossum <guido@python.org> added the comment:
>
>Let me confirm that. Since it is a security patch the entire point of it is
>to be placed in the release.

Cool, I've ported it over to svn.

>I don't want to question the reasons for doing the release from svn instead
>of from hg, but I do want to emphasize that the hg branch ought to be
>considered the master which svn should track as closely as possible.  The
>only reason to not port a patch to the svn branch would be if it was
>submitted to the hg branch in contradiction with some policy (e.g. a
>non-security fix to a branch that should only receive security fixes), and
>then it should probably be rolled back in the hg branch (and the decision to
>do so should be very visible on python-dev).

I'm okay with that.  Right now I can't push my reconciled hg repo though
because line ending changes were committed to various files in hg but not
svn.  I don't think they're appropriate frankly, but rolling them back causes
hg push to fail.

Antoine suggested whitelisting those files in .hgeol, which I'll investigate.

For posterity, according to the red hat tracker at https://bugzilla.redhat.com/show_bug.cgi?id=803500 this issue has been assigned a CVE number: CVE-2011-4940