Skip to content

[security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
larryhastings merged 1 commit into from
Jul 12, 2017
Merged

[security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #782

larryhastings merged 1 commit into from
Jul 12, 2017

Conversation

@vstinner
Copy link
Member

@vstinner vstinner commented Mar 23, 2017

Based on patch by Philipp Hagemeister. This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)

@vstinner vstinner added the type-security A security issue label Mar 23, 2017
@mention-bot
Copy link

mention-bot commented Mar 23, 2017

@Haypo, thanks for your PR! By analyzing the history of the files in this pull request, we identified @birkenfeld, @gvanrossum and @orsenthil to be potential reviewers.

@vstinner vstinner requested review from larryhastings and tiran March 23, 2017 12:28
@vstinner
Copy link
Member Author

vstinner commented Mar 23, 2017

This change is a backport for a major security vulnerability:
http://python-security.readthedocs.io/vuln/issue_26657_http_directory_traversal.html

It's the last known vulnerability which is not fixed in Python 3.4 yet.

@vstinner vstinner changed the title [3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server [security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server Mar 27, 2017
@vstinner vstinner mentioned this pull request Mar 27, 2017
Closed
@vstinner vstinner requested a review from berkerpeksag March 27, 2017 14:04
@vstinner
Copy link
Member Author

vstinner commented Mar 27, 2017

Hi @larryhastings, would you mind to review this one as well?

@vstinner
Copy link
Member Author

vstinner commented Apr 28, 2017

ping @larryhastings ;-)

@vstinner
Copy link
Member Author

vstinner commented Jun 7, 2017

@larryhastings: Larry, can you please merge this change? It was already approved, but only you has the power to merge it into Python 3.4. The change is a backport for a major security vulnerability:
http://python-security.readthedocs.io/vuln/issue_26657_http_directory_traversal.html

@vstinner vstinner closed this Jun 15, 2017
@vstinner vstinner deleted the backport-d274b3f-3.4 branch June 15, 2017 23:03
@vstinner vstinner restored the backport-d274b3f-3.4 branch June 19, 2017 20:39
@vstinner
Copy link
Member Author

vstinner commented Jun 19, 2017

Oops, I removed the branch my mistake, I didn't want to close this PR. The vulnerability is not fixed in 3.4 yet.

@vstinner vstinner reopened this Jun 19, 2017
@vstinner
Copy link
Member Author

vstinner commented Jun 28, 2017

Ping @larryhastings. Would you mind to review this change? Or would you prefer that I find someone else to review it, and then you merge it?

By the way, I wrote this change before blurb was announced. Should I update my PR to use blurb (NEWS.d)?

zooba
zooba approved these changes Jul 11, 2017
View reviewed changes
Copy link
Member

@zooba zooba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@larryhastings
Copy link
Contributor

larryhastings commented Jul 11, 2017

Please update your PR to use NEWS.d and I'll accept it. Thanks!

@vadmium @vstinner
bpo-26657: Fix Windows directory traversal vulnerability with http.se…
ef39349 
…rver

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
@vstinner
Copy link
Member Author

vstinner commented Jul 11, 2017

Please update your PR to use NEWS.d and I'll accept it. Thanks!

Sure, I converted the NEWS entry to a NEWS.d file, and rebased the PR.

@larryhastings larryhastings merged commit 6f6bc1d into python:3.4 Jul 12, 2017
@larryhastings
Copy link
Contributor

larryhastings commented Jul 12, 2017

Thanks!

@vstinner vstinner mentioned this pull request Jul 25, 2017
Merged
ned-deily pushed a commit that referenced this pull request Jul 26, 2017
@vstinner @ned-deily
bpo-26657: Fix Windows directory traversal vulnerability with http.se…
7b92f9f 
…rver (#782) (#2860)

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
(cherry picked from commit 6f6bc1d)
@vstinner vstinner deleted the backport-d274b3f-3.4 branch August 10, 2017 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@berkerpeksag berkerpeksag berkerpeksag approved these changes

@zooba zooba zooba approved these changes

@tiran tiran Awaiting requested review from tiran

@larryhastings larryhastings Awaiting requested review from larryhastings

+1 more reviewer

@duboviy duboviy duboviy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@vstinner @mention-bot @larryhastings @berkerpeksag @zooba @duboviy @the-knights-who-say-ni @vadmium