8000 [security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server by vstinner · Pull Request #782 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

[security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 12, 2017
Merged

[security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server #782

merged 1 commit into from
Jul 12, 2017

Conversation

vstinner
Copy link
Member

Based on patch by Philipp Hagemeister. This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)

@vstinner vstinner added the type-security A security issue label Mar 23, 2017
@mention-bot
Copy link

@Haypo, thanks for your PR! By analyzing the history of the files in this pull request, we identified @birkenfeld, @gvanrossum and @orsenthil to be potential reviewers.

@vstinner vstinner requested review from tiran and larryhastings March 23, 2017 12:28
@vstinner
Copy link
Member Author

This change is a backport for a major security vulnerability:
http://python-security.readthedocs.io/vuln/issue_26657_http_directory_traversal.html

It's the last known vulnerability which is not fixed in Python 3.4 yet.

@vstinner vstinner changed the title [3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server [security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server Mar 27, 2017
@vstinner vstinner mentioned this pull request Mar 27, 2017
Closed
@vstinner vstinner requested a review from berkerpeksag March 27, 2017 14:04
@vstinner
Copy link
Member Author

Hi @larryhastings, would you mind to review this one as well?

@vstinner
Copy link
Member Author

ping @larryhastings ;-)

@vstinner
Copy link
Member Author
vstinner commented Jun 7, 2017

@larryhastings: Larry, can you please merge this change? It was already approved, but only you has the power to merge it into Python 3.4. The change is a backport for a major security vulnerability:
http://python-security.readthedocs.io/vuln/issue_26657_http_directory_traversal.html

@vstinner vstinner closed this Jun 15, 2017
@vstinner vstinner deleted the backport-d274b3f-3.4 branch June 15, 2017 23:03
@vstinner vstinner restored the backport-d274b3f-3.4 branch June 19, 2017 20:39
@vstinner
Copy link 8000
Member Author

Oops, I removed the branch my mistake, I didn't want to close this PR. The vulnerability is not fixed in 3.4 yet.

@vstinner vstinner reopened this Jun 19, 2017
@vstinner
Copy link
Member Author

Ping @larryhastings. Would you mind to review this change? Or would you prefer that I find someone else to review it, and then you merge it?

By the way, I wrote this change before blurb was announced. Should I update my PR to use blurb (NEWS.d)?

zooba
zooba approved these changes Jul 11, 2017
View reviewed changes
Copy link
Member
@zooba zooba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@larryhastings
Copy link
Contributor

Please update your PR to use NEWS.d and I'll accept it. Thanks!

@vadmium @vstinner
bpo-26657: Fix Windows directory traversal vulnerability with http.se…
ef39349 
…rver

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
@vstinner
Copy link
Member Author

Please update your PR to use NEWS.d and I'll accept it. Thanks!

Sure, I converted the NEWS entry to a NEWS.d file, and rebased the PR.

@larryhastings larryhastings merged commit 6f6bc1d into python:3.4 Jul 12, 2017
@larryhastings
Copy link
Contributor

Thanks!

@vstinner vstinner mentioned this pull request Jul 25, 2017
Merged
ned-deily pushed a commit that referenced this pull request Jul 26, 2017
@vstinner @ned-deily
bpo-26657: Fix Windows directory traversal vulnerability with http.se…
7b92f9f 
…rver (#782) (#2860)

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
(cherry picked from commit 6f6bc1d)
@vstinner vstinner deleted the backport-d274b3f-3.4 branch August 10, 2017 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@berkerpeksag berkerpeksag berkerpeksag approved these changes

@zooba zooba zooba approved these changes

@duboviy duboviy duboviy approved these changes

@tiran tiran Awaiting requested review from tiran

@larryhastings larryhastings Awaiting requested review from larryhastings

Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@vstinner @mention-bot @larryhastings @berkerpeksag @zooba @duboviy @the-knights-who-say-ni @vadmium
0