Skip to content

[security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server#782

Merged
larryhastings merged 1 commit intopython:3.4from
vstinner:backport-d274b3f-3.4
Jul 12, 2017
Merged

[security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server#782
larryhastings merged 1 commit intopython:3.4from
vstinner:backport-d274b3f-3.4

Conversation

@vstinner
Copy link
Member

@vstinner vstinner commented Mar 23, 2017

Based on patch by Philipp Hagemeister. This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)

@vstinner vstinner added the type-security A security issue label Mar 23, 2017
@mention-bot
Copy link

mention-bot commented Mar 23, 2017

@Haypo, thanks for your PR! By analyzing the history of the files in this pull request, we identified @birkenfeld, @gvanrossum and @orsenthil to be potential reviewers.

@vstinner vstinner requested review from larryhastings and tiran March 23, 2017 12:28
@vstinner
Copy link
Member Author

vstinner commented Mar 23, 2017

This change is a backport for a major security vulnerability:
http://python-security.readthedocs.io/vuln/issue_26657_http_directory_traversal.html

It's the last known vulnerability which is not fixed in Python 3.4 yet.

@vstinner vstinner changed the title [3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server [security][3.4] bpo-26657: Fix Windows directory traversal vulnerability with http.server Mar 27, 2017
@vstinner vstinner mentioned this pull request Mar 27, 2017
Closed
@vstinner vstinner requested a review from berkerpeksag March 27, 2017 14:04
@vstinner
Copy link
Member Author

vstinner commented Mar 27, 2017

Hi @larryhastings, would you mind to review this one as well?

@vstinner
Copy link
Member Author

vstinner commented Apr 28, 2017

ping @larryhastings ;-)

@vstinner
Copy link
Member Author

vstinner commented Jun 7, 2017

@larryhastings: Larry, can you please merge this change? It was already approved, but only you has the power to merge it into Python 3.4. The change is a backport for a major security vulnerability:
http://python-security.readthedocs.io/vuln/issue_26657_http_directory_traversal.html

@vstinner vstinner closed this Jun 15, 2017
@vstinner vstinner deleted the backport-d274b3f-3.4 branch June 15, 2017 23:03
@vstinner vstinner restored the backport-d274b3f-3.4 branch June 19, 2017 20:39
@vstinner
Copy link
Member Author

vstinner commented Jun 19, 2017

Oops, I removed the branch my mistake, I didn't want to close this PR. The vulnerability is not fixed in 3.4 yet.

@vstinner vstinner reopened this Jun 19, 2017
@vstinner
Copy link
Member Author

vstinner commented Jun 28, 2017

Ping @larryhastings. Would you mind to review this change? Or would you prefer that I find someone else to review it, and then you merge it?

By the way, I wrote this change before blurb was announced. Should I update my PR to use blurb (NEWS.d)?

zooba
zooba approved these changes Jul 11, 2017
View reviewed changes
Copy link
Member

@zooba zooba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@larryhastings
Copy link
Contributor

larryhastings commented Jul 11, 2017

Please update your PR to use NEWS.d and I'll accept it. Thanks!

@vadmium @vstinner
bpo-26657: Fix Windows directory traversal vulnerability with http.se…
ef39349 
…rver

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
@vstinner
Copy link
Member Author

vstinner commented Jul 11, 2017

Please update your PR to use NEWS.d and I'll accept it. Thanks!

Sure, I converted the NEWS entry to a NEWS.d file, and rebased the PR.

@larryhastings larryhastings merged commit 6f6bc1d into python:3.4 Jul 12, 2017
@larryhastings
Copy link
Contributor

larryhastings commented Jul 12, 2017

Thanks!

@vstinner vstinner mentioned this pull request Jul 25, 2017
Merged
ned-deily pushed a commit that referenced this pull request Jul 26, 2017
@vstinner @ned-deily
bpo-26657: Fix Windows directory traversal vulnerability with http.se…
7b92f9f 
…rver (#782) (#2860)

Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.

(cherry picked from commit d274b3f)
(cherry picked from commit 6f6bc1d)
@vstinner vstinner deleted the backport-d274b3f-3.4 branch August 10, 2017 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@berkerpeksag berkerpeksag berkerpeksag approved these changes

@zooba zooba zooba approved these changes

@tiran tiran Awaiting requested review from tiran

@larryhastings larryhastings Awaiting requested review from larryhastings

+1 more reviewer

@duboviy duboviy duboviy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@vstinner @mention-bot @larryhastings @berkerpeksag @zooba @duboviy @the-knights-who-say-ni @vadmium