python 3.11 http.server internal path disclosure #104049
Description
Bug report
Description
Python http.server will disclose the full path where the http server is running when certains URL encoded values are sent as parameters. This was tested on a linux and windows machine. This was initially reported to security@ but I was asked to create an issue here. I am including the analysis that Gregory P Smith did.
Steps to reproduce
Run
python -m http.server 9000 From another terminal:
C:\Users\fmunozs>curl http://localhost:9000/?x=123 <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="utf-8"> <title>Directory listing for /?x=123</title> </head> <body> <h1>Directory listing for /?x=123</h1> <hr> <ul> <li><a href="x.txt">x.txt</a></li> </ul> <hr> </body> </html> curl http://localhost:9000/?x=%bb <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="utf-8"> <title>Directory listing for C:\Users\fmunozs\Desktop\test/</title> </head> <body> <h1>Directory listing for C:\Users\fmunozs\Desktop\test/</h1> <hr> <ul> <li><a href="x.txt">x.txt</a></li> </ul> <hr> </body> </html> Your environment
- CPython versions tested on: 3.11.3
- Operating system and architecture: Windows 11 and Linux
Analysis by Gregory P Smith
This comes from https://github.com/python/cpython/blob/v3.11.3/Lib/http/server.py#L789-L793 and has been that way probably forever in Python.
urllib.parse.unquote('/?x=%bb', errors='surrogatepass') UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbb in position 4: invalid start byte Thus self.path isn't used for displaypath and it falls back to displaying path which is the local filesystem path we don't want a server to expose, per that try:..except:..
Linked PRs
- gh-104049: do not expose on-disk location used by SimpleHTTPServer #104067
- [3.10] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104119
- [3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104120
- [3.8] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104121
- [3.7] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104122
- [3.11] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) #104123