classification
Title: [EASY doc] http.server, SimpleHTTPServer: warn users on security
Type: security Stage: patch review
Components: Library (Lib) Versions: Python 3.8, Python 3.7, Python 3.6, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: Windson Yang, benjamin.peterson, fbidu, gutsytechster, martin.panter, miss-islington, ned.deily, orsenthil, vstinner, xtreak
Priority: Keywords: easy, patch

Created on 2018-09-04 09:39 by vstinner, last changed 2018-10-22 08:21 by vstinner.

Pull Requests
URL Status Linked Edit
PR 9720 merged fbidu, 2018-10-05 17:38
PR 9794 merged miss-islington, 2018-10-11 02:44
PR 9795 merged miss-islington, 2018-10-11 02:44
PR 10005 merged orsenthil, 2018-10-20 15:00
Messages (20)
msg324577 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-09-04 09:39
Larry Hastings proposed on the PSRT mailing list to add the following note of the SimpleHTTPServer documentation:

    Note: SimpleHTTPServer is, as its name implies, a simple HTTP
    server.  We provide it as a sample implementation of the Python HTTP
    server API.  However, SimpleHTTPServer is neither secure nor
    high-performance, and as such you should not use SimpleHTTPServer in
    security-sensitive or performance-sensitive applications.

For example, if you create a symbolic link outside the directory served by SimpleHTTPServer, SimpleHTTPServer follows symbolic links.
msg324579 - (view) Author: Windson Yang (Windson Yang) * Date: 2018-09-04 10:13
The SimpleHTTPServer module has been merged into http.server in Python 3. So we add this to python2 document?
msg324583 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-09-04 12:33
> The SimpleHTTPServer module has been merged into http.server in Python 3. So we add this to python2 document?

The node should be added to Python 2 and Python 3 documentations.
msg326058 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2018-09-22 01:08
There was some disagreement later on the list about adding this warning. We will fix security issues in SimpleHTTPServer.
msg326555 - (view) Author: Felipe Rodrigues (fbidu) * Date: 2018-09-27 12:04
Well, even if we do fix some security issues in SimpleHTTPServer, it doesn't change the fact that it shouldn't really be used for sensitive applications. I like how Django docs handles a similar issue regarding their development server (https://docs.djangoproject.com/en/2.1/ref/django-admin/#runserver)

> DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that’s how it’s gonna stay. We’re in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)

I think that the same philosophy applies to SimpleHTTPServer. If the warning should be add to the docs, I'll be glad to issue an PR fixing it!
msg327069 - (view) Author: Prashant Sharma (gutsytechster) Date: 2018-10-04 17:00
Should this change be done? If so, I would want to take up this issue.
msg327089 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2018-10-04 21:22
FYI Senthil made an earlier suggestion for wording at <https://bugs.python.org/issue26005#msg257517>
msg327504 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-11 02:43
New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran (Felipe Rodrigues) in branch 'master':
bpo-34576 warn users on security for http.server (#9720)
https://github.com/python/cpython/commit/1d26c72e6a9c5b28b27c158f2f196217707dbb0f
msg327509 - (view) Author: miss-islington (miss-islington) Date: 2018-10-11 03:31
New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) in branch '3.6':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/3baee3b39765f5e8ec616b2b71b731b140486394
msg327512 - (view) Author: miss-islington (miss-islington) Date: 2018-10-11 03:55
New changeset 57038bcb24407abbbb46e6d278d0ab4b6ad25bbf by Miss Islington (bot) in branch '3.7':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/57038bcb24407abbbb46e6d278d0ab4b6ad25bbf
msg327526 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-10-11 08:32
The render is surprising: it looks like the full documentation is part of the § Security Considerations:

https://docs.python.org/dev/library/http.server.html#security-considerations

I suggest to add a new title for the rest of the documentation.
msg327540 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-11 15:47
@Victor - Surprising. Thanks for noticing this. I will fix it shortly.
msg328141 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 15:02
Fixed it here - https://github.com/python/cpython/pull/10005
And tested the rendering too https://screenshots.firefox.com/9Wlq9v1Y7M4DZBsG/localhost

Upon review / approval, I will merge this. 

Thank you!
msg328162 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-10-20 16:51
New changeset 92fe93e48a852d22ba33c0fa12112ae664724202 by Ned Deily in branch '3.6':
bpo-34576: Revert doc change until it can be properly fixed (GH-9720)
https://github.com/python/cpython/commit/92fe93e48a852d22ba33c0fa12112ae664724202
msg328165 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-10-20 16:57
New changeset 32fe7b0188bb73c84c0bde80643b6a3bfd03ba93 by Ned Deily in branch '3.7':
bpo-34576: Revert doc change until it can be properly fixed (GH-9720)
https://github.com/python/cpython/commit/32fe7b0188bb73c84c0bde80643b6a3bfd03ba93
msg328170 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-10-20 17:10
Sorry, Senthil, I reverted the original PRs for 3.7.1 and 3.6.7 so you may need to redo your new PR.
msg328173 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 17:39
No problem, Ned. I will update it.
msg328174 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 17:49
Please approve this one - https://github.com/python/cpython/pull/10005 and I adopt the backports according the reverts.
msg328175 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 18:32
New changeset eeab510bb7e51802c18b3770cbb23ae0ca91da6b by Senthil Kumaran in branch 'master':
bpo-34576 - Fix the formatting for security considerations in http.server.rst (#10005)
https://github.com/python/cpython/commit/eeab510bb7e51802c18b3770cbb23ae0ca91da6b
msg328241 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-10-22 08:21
"http.server is meant for demo purposes and does not implement the stringent security checks needed of a real HTTP server. We do not recommend using this module directly in production."

I'm not sure about "demo" and "real" in this warning. I propose:

"http.server is not recommended for production: it only implements basic security checks."
History
Date User Action Args
2018-10-22 08:21:19vstinnersetmessages: + msg328241
2018-10-20 18:32:11orsenthilsetmessages: + msg328175
2018-10-20 17:49:02orsenthilsetmessages: + msg328174
2018-10-20 17:39:30orsenthilsetmessages: + msg328173
2018-10-20 17:10:53ned.deilysetpriority: deferred blocker ->

messages: + msg328170
2018-10-20 16:57:26ned.deilysetmessages: + msg328165
2018-10-20 16:51:01ned.deilysetnosy: + ned.deily
messages: + msg328162
2018-10-20 15:02:41orsenthilsetassignee: orsenthil
2018-10-20 15:02:33orsenthilsetmessages: + msg328141
2018-10-20 15:00:54orsenthilsetpull_requests: + pull_request9346
2018-10-13 04:53:28ned.deilysetpriority: normal -> deferred blocker
2018-10-11 15:47:46orsenthilsetmessages: + msg327540
2018-10-11 08:32:16vstinnersetmessages: + msg327526
2018-10-11 03:55:37miss-islingtonsetmessages: + msg327512
2018-10-11 03:31:34miss-islingtonsetnosy: + miss-islington
messages: + msg327509
2018-10-11 02:44:28miss-islingtonsetpull_requests: + pull_request9178
2018-10-11 02:44:21miss-islingtonsetpull_requests: + pull_request9176
2018-10-11 02:43:45orsenthilsetnosy: + orsenthil
messages: + msg327504
2018-10-05 17:38:17fbidusetkeywords: + patch
stage: patch review
pull_requests: + pull_request9103
2018-10-04 21:22:10martin.pantersetnosy: + martin.panter
messages: + msg327089
2018-10-04 21:20:11martin.panterlinkissue26005 superseder
2018-10-04 17:00:49gutsytechstersetnosy: + gutsytechster
messages: + msg327069
2018-09-27 12:04:32fbidusetnosy: + fbidu
messages: + msg326555
2018-09-22 01:08:17benjamin.petersonsetnosy: + benjamin.peterson
messages: + msg326058
2018-09-21 22:17:58vstinnersetkeywords: + easy
title: SimpleHTTPServer: warn users on security -> [EASY doc] http.server, SimpleHTTPServer: warn users on security
2018-09-04 12:36:39xtreaksetnosy: + xtreak
2018-09-04 12:33:22vstinnersetmessages: + msg324583
2018-09-04 10:13:35Windson Yangsetnosy: + Windson Yang
messages: + msg324579
2018-09-04 09:39:03vstinnercreate