-
-
Notifications
You must be signed in to change notification settings - Fork 33.2k
Closed
Labels
stdlibStandard Library Python modules in the Lib/ directoryStandard Library Python modules in the Lib/ directorytype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue
Description
Bug report
Description
Python http.server will disclose the full path where the http server is running when certains URL encoded values are sent as parameters. This was tested on a linux and windows machine. This was initially reported to security@ but I was asked to create an issue here. I am including the analysis that Gregory P Smith did.
Steps to reproduce
Run
python -m http.server 9000
From another terminal:
C:\Users\fmunozs>curl http://localhost:9000/?x=123
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for /?x=123</title>
</head>
<body>
<h1>Directory listing for /?x=123</h1>
<hr>
<ul>
<li><a href="x.txt">x.txt</a></li>
</ul>
<hr>
</body>
</html>
curl http://localhost:9000/?x=%bb
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for C:\Users\fmunozs\Desktop\test/</title>
</head>
<body>
<h1>Directory listing for C:\Users\fmunozs\Desktop\test/</h1>
<hr>
<ul>
<li><a href="x.txt">x.txt</a></li>
</ul>
<hr>
</body>
</html>
Your environment
- CPython versions tested on: 3.11.3
- Operating system and architecture: Windows 11 and Linux
Analysis by Gregory P Smith
This comes from https://github.com/python/cpython/blob/v3.11.3/Lib/http/server.py#L789-L793 and has been that way probably forever in Python.
urllib.parse.unquote('/?x=%bb', errors='surrogatepass')
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbb in position 4: invalid start byte
Thus self.path
isn't used for displaypath and it falls back to displaying path
which is the local filesystem path we don't want a server to expose, per that try:..except:..
Linked PRs
- gh-104049: do not expose on-disk location used by SimpleHTTPServer #104067
- [3.10] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104119
- [3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104120
- [3.8] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104121
- [3.7] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104122
- [3.11] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104123
arhadthedev and gpshead
Metadata
Metadata
Assignees
Labels
stdlibStandard Library Python modules in the Lib/ directoryStandard Library Python modules in the Lib/ directorytype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue