Message128420
| Author |
brett.cannon |
| Recipients |
barry, benjamin.peterson, brett.cannon, dmalcolm, georg.brandl, gps |
| Date |
2011年02月11日.18:46:00 |
| SpamBayes Score |
5.5747785e-07 |
| Marked as misclassified |
No |
| Message-id |
<1297449971.18.0.229893361501.issue11197@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
As reported to the PSRT:
Python's SimpleHTTPServer class is a simple HTTP server, documented as
serving up the content of the pwd and below readonly via GET and HEAD
commands:
$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
However, by inserting "../" path fragments within the path section of
the URL, it's possible to traverse other directories within the
filesystem.
For example:
lynx localhost:8000/../../../../..
shows 5 directories above in the directory structure.
I was also able to browse /proc and /sys on this example using:
lynx localhost:8000/../../../../../../../../proc
lynx localhost:8000/../../../../../../../../sys
(by browsing to find the correct number of ".." entries to locate the
root directory); arguable this could be leaking much more information
about the host than the administrator might be expecting (e.g. other
programs being executed on the host, command-line arguments of those
programs etc)
This has been fixed in CGIHTTPServer; see
http://bugs.python.org/issue2254
and:
http://svn.python.org/view?view=rev&revision=71303
Guido recommended to not make this secret since no one should be using SimpleHTTPServer in production. He also said this should get fixed. |
|