Skip to content

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vstinner wants to merge 1 commit into from
Closed

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

vstinner wants to merge 1 commit into from

Conversation

@vstinner
Copy link
Member

@vstinner vstinner commented Feb 21, 2017

Issue #26657: Fix Windows directory traversal vulnerability with http.server

Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47.

(cherry picked from commit d274b3f)

http://bugs.python.org/issue26657

Backport to 3.4 the fix of a security vulnerability:
http://python-security.readthedocs.io/vulnerabilities.html#issue-26657

This pull request is based on PR #224. It's the first time that I try to create a PR based on another one. Let's see how it works :-)

@vstinner vstinner added the type-security A security issue label Feb 21, 2017
@vstinner vstinner mentioned this pull request Feb 21, 2017
Merged
berkerpeksag
berkerpeksag reviewed Feb 21, 2017
View reviewed changes
Misc/NEWS Outdated
Copy link
Member

@berkerpeksag berkerpeksag Feb 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't also this be in section "What's New in Python 3.4.7 release candidate 1"?

Copy link
Member Author

@vstinner vstinner Feb 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, it's a bug in my cherry pick :-/

Copy link
Member Author

@vstinner vstinner Mar 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@vadmium @vstinner
Issue #26657: Fix Windows directory traversal vulnerability with http…
955d52a 
….server

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
@vstinner vstinner requested a review from larryhastings March 27, 2017 14:01
@vstinner vstinner changed the title Issue26657/3.4 [Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server Mar 27, 2017
@vstinner
Copy link
Member Author

vstinner commented Mar 27, 2017

Oops, I backported the change twice. I abandon this one in favor of #782

@vstinner vstinner closed this Mar 27, 2017
@vstinner vstinner deleted the issue26657/3.4 branch August 10, 2017 23:37
akruis added a commit to akruis/cpython that referenced this pull request Aug 8, 2019
@akruis
Stackless issue python#226: Fix a reference leak caused by bpo-37788
6e15c22 
Apply the workaround from bpo-37788: join the created thread.
akruis added a commit to akruis/cpython that referenced this pull request May 27, 2021
@akruis
Stackless issue python#226: Fix a reference leak caused by bpo-37788
4b817a8 
Apply the workaround from bpo-37788: join the created thread.

(cherry picked from commit 6e15c22)
jaraco pushed a commit that referenced this pull request Dec 2, 2022
@pyup-bot @Mariatta
Update pytest from 4.3.1 to 4.4.2 (#226)
bdfb816
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@berkerpeksag berkerpeksag berkerpeksag left review comments

@larryhastings larryhastings Awaiting requested review from larryhastings

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vstinner @berkerpeksag @the-knights-who-say-ni @vadmium