Skip to content

http.server: Document explicitly that symbolic links are followed #81054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vstinner opened this issue May 10, 2019 · 3 comments · Fixed by #94416
Closed

http.server: Document explicitly that symbolic links are followed #81054

vstinner opened this issue May 10, 2019 · 3 comments · Fixed by #94416
Labels
3.8 (EOL) end of life docs Documentation in the Doc dir type-security A security issue

Comments

@vstinner
Copy link
Member

BPO 36873
Nosy @vstinner

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2019-05-10.03:41:31.078>
labels = ['type-security', '3.8', 'docs']
title = 'http.server: Document explicitly that symbolic links are followed'
updated_at = <Date 2019-05-10.03:41:31.078>
user = 'https://github.com/vstinner'

bugs.python.org fields:

activity = <Date 2019-05-10.03:41:31.078>
actor = 'vstinner'
assignee = 'docs@python'
closed = False
closed_date = None
closer = None
components = ['Documentation']
creation = <Date 2019-05-10.03:41:31.078>
creator = 'vstinner'
dependencies = []
files = []
hgrepos = []
issue_num = 36873
keywords = []
message_count = 1.0
messages = ['342054']
nosy_count = 2.0
nosy_names = ['vstinner', 'docs@python']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue36873'
versions = ['Python 3.8']
@vstinner
Copy link
Member Author

http.server documentation starts with a red warning:

"Warning: http.server is not recommended for production. It only implements basic security checks."

https://docs.python.org/dev/library/http.server.html

It would help to be even more explicit on what it means. For example, document that symbolic links are followed and SimpleHTTPRequestHandler directory can be "escaped" following symbolic links.

@vstinner vstinner added the 3.8 (EOL) end of life label May 10, 2019
@vstinner vstinner added docs Documentation in the Doc dir type-security A security issue labels May 10, 2019
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
@dignissimus dignissimus mentioned this issue Jun 29, 2022
Merged
ambv pushed a commit that referenced this issue Jul 1, 2022
@dignissimus
gh-81054: Document that SimpleHTTPRequestHandler follows symbolic lin…
80aaeab 
…ks (GH-94416)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 1, 2022
@dignissimus @miss-islington
pythongh-81054: Document that SimpleHTTPRequestHandler follows symbol…
ad4059a 
…ic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot mentioned this issue Jul 1, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 1, 2022
@dignissimus @miss-islington
pythongh-81054: Document that SimpleHTTPRequestHandler follows symbol…
5bea455 
…ic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot mentioned this issue Jul 1, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 1, 2022
@dignissimus @miss-islington
pythongh-81054: Document that SimpleHTTPRequestHandler follows symbol…
e76e7a7 
…ic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot mentioned this issue Jul 1, 2022
Merged
ambv pushed a commit to ambv/cpython that referenced this issue Jul 1, 2022
@dignissimus @ambv
[3.8] pythongh-81054: Document that SimpleHTTPRequestHandler follows …
8d90a7e 
…symbolic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot mentioned this issue Jul 1, 2022
Merged
ambv pushed a commit to ambv/cpython that referenced this issue Jul 1, 2022
@dignissimus @ambv
[3.7] pythongh-81054: Document that SimpleHTTPRequestHandler follows …
2489c87 
…symbolic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot mentioned this issue Jul 1, 2022
Merged
ambv pushed a commit that referenced this issue Jul 1, 2022
@miss-islington @dignissimus
gh-81054: Document that SimpleHTTPRequestHandler follows symbolic lin…
abf5f5c 
…ks (GH-94416) (GH-94492)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv pushed a commit that referenced this issue Jul 1, 2022
@miss-islington @dignissimus
gh-81054: Document that SimpleHTTPRequestHandler follows symbolic lin…
cf17326 
…ks (GH-94416) (GH-94493)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv pushed a commit that referenced this issue Jul 1, 2022
@miss-islington @dignissimus
gh-81054: Document that SimpleHTTPRequestHandler follows symbolic lin…
224cd0c 
…ks (GH-94416) (GH-94494)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv added a commit that referenced this issue Jul 1, 2022
@ambv @dignissimus
[3.8] gh-81054: Document that SimpleHTTPRequestHandler follows symbol…
bd0f2a1 
…ic links (GH-94416) (GH-94495)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv added a commit that referenced this issue Jul 1, 2022
@ambv @dignissimus
[3.7] gh-81054: Document that SimpleHTTPRequestHandler follows symbol…
239b2d9 
…ic links (GH-94416) (GH-94496)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@vstinner
Copy link
Member Author

vstinner commented Jul 3, 2022

Thanks for fixing this old doc issue ;-)

@vstinner
Copy link
Member Author

vstinner commented Jul 3, 2022

I created a new issue for more known vulnerabilities: #94531.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.8 (EOL) end of life docs Documentation in the Doc dir type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links dignissimus/cpython
1 participant
@vstinner