URL |
Status |
Linked |
Edit |
PR 9720 |
merged |
fbidu,
2018-10-05 17:38
|
|
PR 9794 |
merged |
miss-islington,
2018-10-11 02:44
|
|
PR 9795 |
merged |
miss-islington,
2018-10-11 02:44
|
|
PR 10005 |
merged |
orsenthil,
2018-10-20 15:00
|
|
PR 10113 |
merged |
orsenthil,
2018-10-26 00:51
|
|
PR 10114 |
merged |
orsenthil,
2018-10-26 00:55
|
|
PR 10114 |
merged |
orsenthil,
2018-10-26 00:55
|
|
PR 10115 |
merged |
orsenthil,
2018-10-26 01:02
|
|
PR 10116 |
merged |
orsenthil,
2018-10-26 01:09
|
|
msg324577 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2018-09-04 09:39 |
Larry Hastings proposed on the PSRT mailing list to add the following note of the SimpleHTTPServer documentation:
Note: SimpleHTTPServer is, as its name implies, a simple HTTP
server. We provide it as a sample implementation of the Python HTTP
server API. However, SimpleHTTPServer is neither secure nor
high-performance, and as such you should not use SimpleHTTPServer in
security-sensitive or performance-sensitive applications.
For example, if you create a symbolic link outside the directory served by SimpleHTTPServer, SimpleHTTPServer follows symbolic links.
|
msg324579 - (view) |
Author: Windson Yang (Windson Yang) * |
Date: 2018-09-04 10:13 |
The SimpleHTTPServer module has been merged into http.server in Python 3. So we add this to python2 document?
|
msg324583 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2018-09-04 12:33 |
> The SimpleHTTPServer module has been merged into http.server in Python 3. So we add this to python2 document?
The node should be added to Python 2 and Python 3 documentations.
|
msg326058 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2018-09-22 01:08 |
There was some disagreement later on the list about adding this warning. We will fix security issues in SimpleHTTPServer.
|
msg326555 - (view) |
Author: Felipe Rodrigues (fbidu) * |
Date: 2018-09-27 12:04 |
Well, even if we do fix some security issues in SimpleHTTPServer, it doesn't change the fact that it shouldn't really be used for sensitive applications. I like how Django docs handles a similar issue regarding their development server (https://docs.djangoproject.com/en/2.1/ref/django-admin/#runserver)
> DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that’s how it’s gonna stay. We’re in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)
I think that the same philosophy applies to SimpleHTTPServer. If the warning should be add to the docs, I'll be glad to issue an PR fixing it!
|
msg327069 - (view) |
Author: Prashant Sharma (gutsytechster) |
Date: 2018-10-04 17:00 |
Should this change be done? If so, I would want to take up this issue.
|
msg327089 - (view) |
Author: Martin Panter (martin.panter) * |
Date: 2018-10-04 21:22 |
FYI Senthil made an earlier suggestion for wording at <https://bugs.python.org/issue26005#msg257517>
|
msg327504 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-11 02:43 |
New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran (Felipe Rodrigues) in branch 'master':
bpo-34576 warn users on security for http.server (#9720)
https://github.com/python/cpython/commit/1d26c72e6a9c5b28b27c158f2f196217707dbb0f
|
msg327509 - (view) |
Author: miss-islington (miss-islington) |
Date: 2018-10-11 03:31 |
New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) in branch '3.6':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/3baee3b39765f5e8ec616b2b71b731b140486394
|
msg327512 - (view) |
Author: miss-islington (miss-islington) |
Date: 2018-10-11 03:55 |
New changeset 57038bcb24407abbbb46e6d278d0ab4b6ad25bbf by Miss Islington (bot) in branch '3.7':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/57038bcb24407abbbb46e6d278d0ab4b6ad25bbf
|
msg327526 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2018-10-11 08:32 |
The render is surprising: it looks like the full documentation is part of the § Security Considerations:
https://docs.python.org/dev/library/http.server.html#security-considerations
I suggest to add a new title for the rest of the documentation.
|
msg327540 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-11 15:47 |
@Victor - Surprising. Thanks for noticing this. I will fix it shortly.
|
msg328141 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-20 15:02 |
Fixed it here - https://github.com/python/cpython/pull/10005
And tested the rendering too https://screenshots.firefox.com/9Wlq9v1Y7M4DZBsG/localhost
Upon review / approval, I will merge this.
Thank you!
|
msg328162 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2018-10-20 16:51 |
New changeset 92fe93e48a852d22ba33c0fa12112ae664724202 by Ned Deily in branch '3.6':
bpo-34576: Revert doc change until it can be properly fixed (GH-9720)
https://github.com/python/cpython/commit/92fe93e48a852d22ba33c0fa12112ae664724202
|
msg328165 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2018-10-20 16:57 |
New changeset 32fe7b0188bb73c84c0bde80643b6a3bfd03ba93 by Ned Deily in branch '3.7':
bpo-34576: Revert doc change until it can be properly fixed (GH-9720)
https://github.com/python/cpython/commit/32fe7b0188bb73c84c0bde80643b6a3bfd03ba93
|
msg328170 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2018-10-20 17:10 |
Sorry, Senthil, I reverted the original PRs for 3.7.1 and 3.6.7 so you may need to redo your new PR.
|
msg328173 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-20 17:39 |
No problem, Ned. I will update it.
|
msg328174 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-20 17:49 |
Please approve this one - https://github.com/python/cpython/pull/10005 and I adopt the backports according the reverts.
|
msg328175 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-20 18:32 |
New changeset eeab510bb7e51802c18b3770cbb23ae0ca91da6b by Senthil Kumaran in branch 'master':
bpo-34576 - Fix the formatting for security considerations in http.server.rst (#10005)
https://github.com/python/cpython/commit/eeab510bb7e51802c18b3770cbb23ae0ca91da6b
|
msg328241 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2018-10-22 08:21 |
"http.server is meant for demo purposes and does not implement the stringent security checks needed of a real HTTP server. We do not recommend using this module directly in production."
I'm not sure about "demo" and "real" in this warning. I propose:
"http.server is not recommended for production: it only implements basic security checks."
|
msg328508 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-26 01:10 |
This should be it -
https://github.com/python/cpython/pull/10116
https://github.com/python/cpython/pull/10114
https://github.com/python/cpython/pull/10113
https://github.com/python/cpython/pull/10115
Lets merge these simple PRs and close this issue.
|
msg328525 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-26 08:27 |
New changeset 971089fc2a09e4bcb872efac52c1b014af16fff9 by Senthil Kumaran in branch '2.7':
[2.7] bpo-34576 : Backport eeab510 2.7 (#10115)
https://github.com/python/cpython/commit/971089fc2a09e4bcb872efac52c1b014af16fff9
|
msg328572 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-26 17:11 |
New changeset bb1876acd815a05744cea4a7d4098231ef499e52 by Senthil Kumaran in branch '3.7':
[3.7] bpo-34576 : Backport eeab510 (#10114)
https://github.com/python/cpython/commit/bb1876acd815a05744cea4a7d4098231ef499e52
|
msg328573 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-26 17:12 |
New changeset 8be1c043a6d10d375f7a73c681cb2d7ec2f2d361 by Senthil Kumaran in branch '3.6':
[3.6] - bpo-34576 : Backport eeab510 3.6 (GH-10113)
https://github.com/python/cpython/commit/8be1c043a6d10d375f7a73c681cb2d7ec2f2d361
|
msg328574 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-26 17:13 |
This is resolved. Thank you, all.
|
|
Date |
User |
Action |
Args |
2022-04-11 14:59:05 | admin | set | github: 78757 |
2018-10-26 17:13:01 | orsenthil | set | status: open -> closed
messages:
+ msg328574 stage: patch review -> resolved |
2018-10-26 17:12:35 | orsenthil | set | messages:
+ msg328573 |
2018-10-26 17:11:44 | orsenthil | set | messages:
+ msg328572 |
2018-10-26 08:27:14 | orsenthil | set | messages:
+ msg328525 |
2018-10-26 01:10:44 | orsenthil | set | resolution: fixed messages:
+ msg328508 |
2018-10-26 01:09:34 | orsenthil | set | pull_requests:
+ pull_request9449 |
2018-10-26 01:02:01 | orsenthil | set | pull_requests:
+ pull_request9448 |
2018-10-26 00:55:13 | orsenthil | set | pull_requests:
+ pull_request9447 |
2018-10-26 00:55:10 | orsenthil | set | pull_requests:
+ pull_request9446 |
2018-10-26 00:51:09 | orsenthil | set | pull_requests:
+ pull_request9445 |
2018-10-22 08:21:19 | vstinner | set | messages:
+ msg328241 |
2018-10-20 18:32:11 | orsenthil | set | messages:
+ msg328175 |
2018-10-20 17:49:02 | orsenthil | set | messages:
+ msg328174 |
2018-10-20 17:39:30 | orsenthil | set | messages:
+ msg328173 |
2018-10-20 17:10:53 | ned.deily | set | priority: deferred blocker ->
messages:
+ msg328170 |
2018-10-20 16:57:26 | ned.deily | set | messages:
+ msg328165 |
2018-10-20 16:51:01 | ned.deily | set | nosy:
+ ned.deily messages:
+ msg328162
|
2018-10-20 15:02:41 | orsenthil | set | assignee: orsenthil |
2018-10-20 15:02:33 | orsenthil | set | messages:
+ msg328141 |
2018-10-20 15:00:54 | orsenthil | set | pull_requests:
+ pull_request9346 |
2018-10-13 04:53:28 | ned.deily | set | priority: normal -> deferred blocker |
2018-10-11 15:47:46 | orsenthil | set | messages:
+ msg327540 |
2018-10-11 08:32:16 | vstinner | set | messages:
+ msg327526 |
2018-10-11 03:55:37 | miss-islington | set | messages:
+ msg327512 |
2018-10-11 03:31:34 | miss-islington | set | nosy:
+ miss-islington messages:
+ msg327509
|
2018-10-11 02:44:28 | miss-islington | set | pull_requests:
+ pull_request9178 |
2018-10-11 02:44:21 | miss-islington | set | pull_requests:
+ pull_request9176 |
2018-10-11 02:43:45 | orsenthil | set | nosy:
+ orsenthil messages:
+ msg327504
|
2018-10-05 17:38:17 | fbidu | set | keywords:
+ patch stage: patch review pull_requests:
+ pull_request9103 |
2018-10-04 21:22:10 | martin.panter | set | nosy:
+ martin.panter messages:
+ msg327089
|
2018-10-04 21:20:11 | martin.panter | link | issue26005 superseder |
2018-10-04 17:00:49 | gutsytechster | set | nosy:
+ gutsytechster messages:
+ msg327069
|
2018-09-27 12:04:32 | fbidu | set | nosy:
+ fbidu messages:
+ msg326555
|
2018-09-22 01:08:17 | benjamin.peterson | set | nosy:
+ benjamin.peterson messages:
+ msg326058
|
2018-09-21 22:17:58 | vstinner | set | keywords:
+ easy title: SimpleHTTPServer: warn users on security -> [EASY doc] http.server, SimpleHTTPServer: warn users on security |
2018-09-04 12:36:39 | xtreak | set | nosy:
+ xtreak
|
2018-09-04 12:33:22 | vstinner | set | messages:
+ msg324583 |
2018-09-04 10:13:35 | Windson Yang | set | nosy:
+ Windson Yang messages:
+ msg324579
|
2018-09-04 09:39:03 | vstinner | create | |