[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

vstinner · 2017-02-21T22:09:37Z

Issue #26657: Fix Windows directory traversal vulnerability with http.server

Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47.

(cherry picked from commit d274b3f)

http://bugs.python.org/issue26657

Backport to 3.4 the fix of a security vulnerability:
http://python-security.readthedocs.io/vulnerabilities.html#issue-26657

This pull request is based on PR #224. It's the first time that I try to create a PR based on another one. Let's see how it works :-)

berkerpeksag · 2017-02-21T23:11:03Z

Misc/NEWS

@@ -70,6 +72,10 @@ Build
 Tests
 -----

+- Issue #26657: Fix directory traversal vulnerability with http.server on


Shouldn't also this be in section "What's New in Python 3.4.7 release candidate 1"?

Oh right, it's a bug in my cherry pick :-/

….server Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47. (cherry picked from commit d274b3f)

vstinner · 2017-03-27T14:04:12Z

Oops, I backported the change twice. I abandon this one in favor of #782

Apply the workaround from bpo-37788: join the created thread.

Apply the workaround from bpo-37788: join the created thread. (cherry picked from commit 6e15c22)

vstinner added the type-security A security issue label Feb 21, 2017

the-knights-who-say-ni added the CLA signed label Feb 21, 2017

vstinner mentioned this pull request Feb 21, 2017

[3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… #224

Merged

berkerpeksag reviewed Feb 21, 2017

View reviewed changes

Issue #26657: Fix Windows directory traversal vulnerability with http…

955d52a

….server Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47. (cherry picked from commit d274b3f)

vstinner requested a review from larryhastings March 27, 2017 14:01

vstinner changed the title ~~Issue26657/3.4~~ [Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server Mar 27, 2017

vstinner closed this Mar 27, 2017

vstinner deleted the issue26657/3.4 branch August 10, 2017 23:37

akruis pushed a commit to akruis/cpython that referenced this pull request Aug 8, 2019

Stackless issue python#226: Fix a reference leak caused by bpo-37788

6e15c22

Apply the workaround from bpo-37788: join the created thread.

akruis pushed a commit to akruis/cpython that referenced this pull request May 27, 2021

Stackless issue python#226: Fix a reference leak caused by bpo-37788

4b817a8

Apply the workaround from bpo-37788: join the created thread. (cherry picked from commit 6e15c22)

jaraco pushed a commit that referenced this pull request Dec 2, 2022

Update pytest from 4.3.1 to 4.4.2 (#226)

bdfb816

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

[Security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #226

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!