This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: [EASY doc] http.server, SimpleHTTPServer: warn users on security
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.8, Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: Windson Yang, benjamin.peterson, fbidu, gutsytechster, martin.panter, miss-islington, ned.deily, orsenthil, vstinner, xtreak
Priority: Keywords: easy, patch

Created on 2018-09-04 09:39 by vstinner, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 9720 merged fbidu, 2018-10-05 17:38
PR 9794 merged miss-islington, 2018-10-11 02:44
PR 9795 merged miss-islington, 2018-10-11 02:44
PR 10005 merged orsenthil, 2018-10-20 15:00
PR 10113 merged orsenthil, 2018-10-26 00:51
PR 10114 merged orsenthil, 2018-10-26 00:55
PR 10114 merged orsenthil, 2018-10-26 00:55
PR 10115 merged orsenthil, 2018-10-26 01:02
PR 10116 merged orsenthil, 2018-10-26 01:09
Messages (25)
msg324577 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-09-04 09:39
Larry Hastings proposed on the PSRT mailing list to add the following note of the SimpleHTTPServer documentation:

    Note: SimpleHTTPServer is, as its name implies, a simple HTTP
    server.  We provide it as a sample implementation of the Python HTTP
    server API.  However, SimpleHTTPServer is neither secure nor
    high-performance, and as such you should not use SimpleHTTPServer in
    security-sensitive or performance-sensitive applications.

For example, if you create a symbolic link outside the directory served by SimpleHTTPServer, SimpleHTTPServer follows symbolic links.
msg324579 - (view) Author: Windson Yang (Windson Yang) * Date: 2018-09-04 10:13
The SimpleHTTPServer module has been merged into http.server in Python 3. So we add this to python2 document?
msg324583 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-09-04 12:33
> The SimpleHTTPServer module has been merged into http.server in Python 3. So we add this to python2 document?

The node should be added to Python 2 and Python 3 documentations.
msg326058 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2018-09-22 01:08
There was some disagreement later on the list about adding this warning. We will fix security issues in SimpleHTTPServer.
msg326555 - (view) Author: Felipe Rodrigues (fbidu) * Date: 2018-09-27 12:04
Well, even if we do fix some security issues in SimpleHTTPServer, it doesn't change the fact that it shouldn't really be used for sensitive applications. I like how Django docs handles a similar issue regarding their development server (https://docs.djangoproject.com/en/2.1/ref/django-admin/#runserver)

> DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that’s how it’s gonna stay. We’re in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)

I think that the same philosophy applies to SimpleHTTPServer. If the warning should be add to the docs, I'll be glad to issue an PR fixing it!
msg327069 - (view) Author: Prashant Sharma (gutsytechster) Date: 2018-10-04 17:00
Should this change be done? If so, I would want to take up this issue.
msg327089 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2018-10-04 21:22
FYI Senthil made an earlier suggestion for wording at <https://bugs.python.org/issue26005#msg257517>
msg327504 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-11 02:43
New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran (Felipe Rodrigues) in branch 'master':
bpo-34576 warn users on security for http.server (#9720)
https://github.com/python/cpython/commit/1d26c72e6a9c5b28b27c158f2f196217707dbb0f
msg327509 - (view) Author: miss-islington (miss-islington) Date: 2018-10-11 03:31
New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) in branch '3.6':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/3baee3b39765f5e8ec616b2b71b731b140486394
msg327512 - (view) Author: miss-islington (miss-islington) Date: 2018-10-11 03:55
New changeset 57038bcb24407abbbb46e6d278d0ab4b6ad25bbf by Miss Islington (bot) in branch '3.7':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/57038bcb24407abbbb46e6d278d0ab4b6ad25bbf
msg327526 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-10-11 08:32
The render is surprising: it looks like the full documentation is part of the § Security Considerations:

https://docs.python.org/dev/library/http.server.html#security-considerations

I suggest to add a new title for the rest of the documentation.
msg327540 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-11 15:47
@Victor - Surprising. Thanks for noticing this. I will fix it shortly.
msg328141 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 15:02
Fixed it here - https://github.com/python/cpython/pull/10005
And tested the rendering too https://screenshots.firefox.com/9Wlq9v1Y7M4DZBsG/localhost

Upon review / approval, I will merge this. 

Thank you!
msg328162 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-10-20 16:51
New changeset 92fe93e48a852d22ba33c0fa12112ae664724202 by Ned Deily in branch '3.6':
bpo-34576: Revert doc change until it can be properly fixed (GH-9720)
https://github.com/python/cpython/commit/92fe93e48a852d22ba33c0fa12112ae664724202
msg328165 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-10-20 16:57
New changeset 32fe7b0188bb73c84c0bde80643b6a3bfd03ba93 by Ned Deily in branch '3.7':
bpo-34576: Revert doc change until it can be properly fixed (GH-9720)
https://github.com/python/cpython/commit/32fe7b0188bb73c84c0bde80643b6a3bfd03ba93
msg328170 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-10-20 17:10
Sorry, Senthil, I reverted the original PRs for 3.7.1 and 3.6.7 so you may need to redo your new PR.
msg328173 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 17:39
No problem, Ned. I will update it.
msg328174 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 17:49
Please approve this one - https://github.com/python/cpython/pull/10005 and I adopt the backports according the reverts.
msg328175 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-20 18:32
New changeset eeab510bb7e51802c18b3770cbb23ae0ca91da6b by Senthil Kumaran in branch 'master':
bpo-34576 - Fix the formatting for security considerations in http.server.rst (#10005)
https://github.com/python/cpython/commit/eeab510bb7e51802c18b3770cbb23ae0ca91da6b
msg328241 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-10-22 08:21
"http.server is meant for demo purposes and does not implement the stringent security checks needed of a real HTTP server. We do not recommend using this module directly in production."

I'm not sure about "demo" and "real" in this warning. I propose:

"http.server is not recommended for production: it only implements basic security checks."
msg328508 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-26 01:10
This should be it - 

https://github.com/python/cpython/pull/10116
https://github.com/python/cpython/pull/10114
https://github.com/python/cpython/pull/10113
https://github.com/python/cpython/pull/10115

Lets merge these simple PRs and close this issue.
msg328525 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-26 08:27
New changeset 971089fc2a09e4bcb872efac52c1b014af16fff9 by Senthil Kumaran in branch '2.7':
[2.7] bpo-34576 : Backport eeab510 2.7 (#10115)
https://github.com/python/cpython/commit/971089fc2a09e4bcb872efac52c1b014af16fff9
msg328572 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-26 17:11
New changeset bb1876acd815a05744cea4a7d4098231ef499e52 by Senthil Kumaran in branch '3.7':
[3.7]  bpo-34576 : Backport eeab510 (#10114)
https://github.com/python/cpython/commit/bb1876acd815a05744cea4a7d4098231ef499e52
msg328573 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-26 17:12
New changeset 8be1c043a6d10d375f7a73c681cb2d7ec2f2d361 by Senthil Kumaran in branch '3.6':
[3.6] - bpo-34576 : Backport eeab510 3.6 (GH-10113)
https://github.com/python/cpython/commit/8be1c043a6d10d375f7a73c681cb2d7ec2f2d361
msg328574 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-26 17:13
This is resolved. Thank you, all.
History
Date User Action Args
2022-04-11 14:59:05adminsetgithub: 78757
2018-10-26 17:13:01orsenthilsetstatus: open -> closed

messages: + msg328574
stage: patch review -> resolved
2018-10-26 17:12:35orsenthilsetmessages: + msg328573
2018-10-26 17:11:44orsenthilsetmessages: + msg328572
2018-10-26 08:27:14orsenthilsetmessages: + msg328525
2018-10-26 01:10:44orsenthilsetresolution: fixed
messages: + msg328508
2018-10-26 01:09:34orsenthilsetpull_requests: + pull_request9449
2018-10-26 01:02:01orsenthilsetpull_requests: + pull_request9448
2018-10-26 00:55:13orsenthilsetpull_requests: + pull_request9447
2018-10-26 00:55:10orsenthilsetpull_requests: + pull_request9446
2018-10-26 00:51:09orsenthilsetpull_requests: + pull_request9445
2018-10-22 08:21:19vstinnersetmessages: + msg328241
2018-10-20 18:32:11orsenthilsetmessages: + msg328175
2018-10-20 17:49:02orsenthilsetmessages: + msg328174
2018-10-20 17:39:30orsenthilsetmessages: + msg328173
2018-10-20 17:10:53ned.deilysetpriority: deferred blocker ->

messages: + msg328170
2018-10-20 16:57:26ned.deilysetmessages: + msg328165
2018-10-20 16:51:01ned.deilysetnosy: + ned.deily
messages: + msg328162
2018-10-20 15:02:41orsenthilsetassignee: orsenthil
2018-10-20 15:02:33orsenthilsetmessages: + msg328141
2018-10-20 15:00:54orsenthilsetpull_requests: + pull_request9346
2018-10-13 04:53:28ned.deilysetpriority: normal -> deferred blocker
2018-10-11 15:47:46orsenthilsetmessages: + msg327540
2018-10-11 08:32:16vstinnersetmessages: + msg327526
2018-10-11 03:55:37miss-islingtonsetmessages: + msg327512
2018-10-11 03:31:34miss-islingtonsetnosy: + miss-islington
messages: + msg327509
2018-10-11 02:44:28miss-islingtonsetpull_requests: + pull_request9178
2018-10-11 02:44:21miss-islingtonsetpull_requests: + pull_request9176
2018-10-11 02:43:45orsenthilsetnosy: + orsenthil
messages: + msg327504
2018-10-05 17:38:17fbidusetkeywords: + patch
stage: patch review
pull_requests: + pull_request9103
2018-10-04 21:22:10martin.pantersetnosy: + martin.panter
messages: + msg327089
2018-10-04 21:20:11martin.panterlinkissue26005 superseder
2018-10-04 17:00:49gutsytechstersetnosy: + gutsytechster
messages: + msg327069
2018-09-27 12:04:32fbidusetnosy: + fbidu
messages: + msg326555
2018-09-22 01:08:17benjamin.petersonsetnosy: + benjamin.peterson
messages: + msg326058
2018-09-21 22:17:58vstinnersetkeywords: + easy
title: SimpleHTTPServer: warn users on security -> [EASY doc] http.server, SimpleHTTPServer: warn users on security
2018-09-04 12:36:39xtreaksetnosy: + xtreak
2018-09-04 12:33:22vstinnersetmessages: + msg324583
2018-09-04 10:13:35Windson Yangsetnosy: + Windson Yang
messages: + msg324579
2018-09-04 09:39:03vstinnercreate