Message 128420 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	brett.cannon
Recipients	barry, benjamin.peterson, brett.cannon, dmalcolm, georg.brandl, gps
Date	2011-02-11.18:46:00
SpamBayes Score	5.5747785e-07
Marked as misclassified	No
Message-id	<1297449971.18.0.229893361501.issue11197@psf.upfronthosting.co.za>
In-reply-to

Content
As reported to the PSRT: Python's SimpleHTTPServer class is a simple HTTP server, documented as serving up the content of the pwd and below readonly via GET and HEAD commands: $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... However, by inserting "../" path fragments within the path section of the URL, it's possible to traverse other directories within the filesystem. For example: lynx localhost:8000/../../../../.. shows 5 directories above in the directory structure. I was also able to browse /proc and /sys on this example using: lynx localhost:8000/../../../../../../../../proc lynx localhost:8000/../../../../../../../../sys (by browsing to find the correct number of ".." entries to locate the root directory); arguable this could be leaking much more information about the host than the administrator might be expecting (e.g. other programs being executed on the host, command-line arguments of those programs etc) This has been fixed in CGIHTTPServer; see http://bugs.python.org/issue2254 and: http://svn.python.org/view?view=rev&revision=71303 Guido recommended to not make this secret since no one should be using SimpleHTTPServer in production. He also said this should get fixed.

As reported to the PSRT:

Python's SimpleHTTPServer class is a simple HTTP server, documented as
serving up the content of the pwd and below readonly via GET and HEAD
commands:

 $ python -m SimpleHTTPServer
 Serving HTTP on 0.0.0.0 port 8000 ...

However, by inserting "../" path fragments within the path section of
the URL, it's possible to traverse other directories within the
filesystem.

For example:

 lynx localhost:8000/../../../../..

shows 5 directories above in the directory structure.

I was also able to browse /proc and /sys on this example using:

 lynx localhost:8000/../../../../../../../../proc
 lynx localhost:8000/../../../../../../../../sys

(by browsing to find the correct number of ".." entries to locate the
root directory); arguable this could be leaking much more information
about the host than the administrator might be expecting (e.g. other
programs being executed on the host, command-line arguments of those
programs etc)

This has been fixed in CGIHTTPServer; see
 http://bugs.python.org/issue2254
and:
 http://svn.python.org/view?view=rev&revision=71303

Guido recommended to not make this secret since no one should be using SimpleHTTPServer in production. He also said this should get fixed.

History
Date	User	Action	Args
2011-02-11 18:46:11	brett.cannon	set	recipients: + brett.cannon, barry, georg.brandl, gps, benjamin.peterson, dmalcolm
2011-02-11 18:46:11	brett.cannon	set	messageid: <1297449971.18.0.229893361501.issue11197@psf.upfronthosting.co.za>
2011-02-11 18:46:00	brett.cannon	link	issue11197 messages
2011-02-11 18:46:00	brett.cannon	create