From 1071e1176543e710a1c2253a20dc2ca287663c96 Mon Sep 17 00:00:00 2001 From: Sam Ezeh Date: Wed, 29 Jun 2022 14:56:50 +0100 Subject: [PATCH 1/2] Document that SimpleHTTPRequestHandler follows symbolic links --- Doc/library/http.server.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 9d5e5e3a75b197..11dfb09afc3df8 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -20,7 +20,9 @@ This module defines classes for implementing HTTP servers. .. warning:: :mod:`http.server` is not recommended for production. It only implements - basic security checks. + basic security checks. :class:`SimpleHTTPRequestHandler` will follow + symbolic links when handling requests, this makes it possible for files + outside of the specified directory to be served. One class, :class:`HTTPServer`, is a :class:`socketserver.TCPServer` subclass. It creates and listens at the HTTP socket, dispatching the requests to a From 6ea4b7fc67987387edec53855569236fcb4b3be9 Mon Sep 17 00:00:00 2001 From: Sam Ezeh Date: Thu, 30 Jun 2022 12:09:47 +0100 Subject: [PATCH 2/2] Create new http.server security consideration section. Add reference on the main security considerations page. --- Doc/library/http.server.rst | 15 ++++++++++++--- Doc/library/security_warnings.rst | 2 +- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 11dfb09afc3df8..3bb7294ebb4a79 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -20,9 +20,7 @@ This module defines classes for implementing HTTP servers. .. warning:: :mod:`http.server` is not recommended for production. It only implements - basic security checks. :class:`SimpleHTTPRequestHandler` will follow - symbolic links when handling requests, this makes it possible for files - outside of the specified directory to be served. + :ref:`basic security checks `. One class, :class:`HTTPServer`, is a :class:`socketserver.TCPServer` subclass. It creates and listens at the HTTP socket, dispatching the requests to a @@ -501,3 +499,14 @@ following command runs an HTTP/1.1 conformant server:: the ``--cgi`` option:: python -m http.server --cgi + +.. _http.server-security: + +Security Considerations +----------------------- + +.. index:: pair: http.server; security + +:class:`SimpleHTTPRequestHandler` will follow symbolic links when handling +requests, this makes it possible for files outside of the specified directory +to be served. diff --git a/Doc/library/security_warnings.rst b/Doc/library/security_warnings.rst index f985dc4acd11c1..284f3658320623 100644 --- a/Doc/library/security_warnings.rst +++ b/Doc/library/security_warnings.rst @@ -14,7 +14,7 @@ The following modules have specific security considerations: argument disabling known insecure and blocked algorithms ` * :mod:`http.server` is not suitable for production use, only implementing - basic security checks + basic security checks. See the :ref:`security considerations `. * :mod:`logging`: :ref:`Logging configuration uses eval() ` * :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle