-
-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python 3.11.3 http.server CGI source code disclosure and directory listing #104711
Comments
@arhadthedev this issue is not related to the deprecated cgi module. It affects http.server code, which includes a "cgi" mode. |
Although |
I'd settle for a note in the section of the doc page that explicitly says that the entire module is insecure. Maybe we need to explicitly say "expose this to untrusted clients at your own risk"? If the text that's there isn't clear enough. |
At the head of the document, there is a warning with a link: cpython/Doc/library/http.server.rst Line 23 in 8710fae
Follow the link, it says: cpython/Doc/library/http.server.rst Lines 525 to 541 in 8710fae
I think that some users may believe that, in version 3.12, there is only one known security issue related to following symbolic links, which can be avoided by not creating symbolic links in the folder. Therefore, I think it would be beneficial to add notes explaining that there are other known and unknown security issues, and we should not expose this to untrusted clients. |
…dler document (pythonGH-115915) (cherry picked from commit dac8ff4) Co-authored-by: AN Long <aisk@users.noreply.github.com>
…dler document (pythonGH-115915) (cherry picked from commit dac8ff4) Co-authored-by: AN Long <aisk@users.noreply.github.com>
…GH-115915) (cherry picked from commit dac8ff4)
…GH-115915) (cherry picked from commit dac8ff4)
Python 3.11.3 http.server CGI mode - CGI source code disclosure
Python http.server CGI implementation module discloses the source code of CGI scripts due to an error while validating the CGI path on Windows.
This may allow an attacker to read source code of CGI applications and obtain internal information.
Tested on
Python 3.11.3 amd64 on Windows 11
Analysis
The is_cgi method will return false when the server is called with the following path: http://localhost:8000/X:/cgi-bin/hi.py
cpython/Lib/http/server.py
Line 1008 in 4536b2e
This path is used inside the function translate_path, which will ignore the "X:" part, hence the final path will point to the cgi-bin/hi.py file
cpython/Lib/http/server.py
Line 830 in 4536b2e
Proof-of-Concept
When called with the following command, the source code for hi.py is returned instead of the HTML output:
Directory Listing:
Linked PRs
is_cgi
method in http/server.py #114346The text was updated successfully, but these errors were encountered: