[proxy] web.archive.org← back | site home | direct (HTTPS) ↗ | proxy home | ◑ dark◐ light
/ cpython Public
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

Closed
wants to merge 1 commit into from
Closed

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

wants to merge 1 commit into from

Conversation

Copy link
Member

vstinner commented Feb 21, 2017

Issue #26657: Fix Windows directory traversal vulnerability with http.server

Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47.

(cherry picked from commit d274b3f)

http://bugs.python.org/issue26657

Backport to 3.4 the fix of a security vulnerability:
http://python-security.readthedocs.io/vulnerabilities.html#issue-26657

This pull request is based on PR #224. It's the first time that I try to create a PR based on another one. Let's see how it works :-)

vstinner added the type-security A security issue label Feb 21, 2017
vstinner mentioned this pull request Feb 21, 2017
Merged
berkerpeksag reviewed Feb 21, 2017
View changes
Misc/NEWS Outdated
@@ -70,6 +72,10 @@ Build
Tests
-----

- Issue #26657: Fix directory traversal vulnerability with http.server on
Copy link
Member

berkerpeksag Feb 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't also this be in section "What's New in Python 3.4.7 release candidate 1"?

Copy link
Member Author

vstinner Feb 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, it's a bug in my cherry pick :-/

Copy link
Member Author

vstinner Mar 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

Issue python#26657: Fix Windows directory traversal vulnerability wit…
955d52a 
…h http.server

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
vstinner requested a review from larryhastings Mar 27, 2017
vstinner changed the title Issue26657/3.4 [Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server Mar 27, 2017
Copy link
Member Author

vstinner commented Mar 27, 2017

Oops, I backported the change twice. I abandon this one in favor of #782

vstinner closed this Mar 27, 2017
vstinner deleted the issue26657/3.4 branch Aug 10, 2017
akruis pushed a commit to akruis/cpython that referenced this issue Aug 8, 2019
Stackless issue python#226: Fix a reference leak caused by bpo-37788
6e15c22 
Apply the workaround from bpo-37788: join the created thread.
akruis pushed a commit to akruis/cpython that referenced this issue May 27, 2021
Stackless issue python#226: Fix a reference leak caused by bpo-37788
4b817a8 
Apply the workaround from bpo-37788: join the created thread.

(cherry picked from commit 6e15c22)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

berkerpeksag

larryhastings

Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants