.. _http-server-directory-traversal: Issue #26657: HTTP server directory traversal ============================================= .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. Fix directory traversal vulnerability with ``http.server`` and ``SimpleHTTPServer`` on Windows. Regression of Python 3.3.5. Python issue reported at 2016-03-14. Dates: * Disclosure date: **2016-03-28** (Python issue bpo-26657 reported) Fixed In -------- * Python **2.7.12** (2016-06-25) fixed by `commit 0cf2cf2 (branch 2.7) `_ (2016-04-18) * Python **3.3.7** (2017-09-19) fixed by `commit 7b92f9f (branch 3.3) `_ (2017-07-26) * Python **3.4.7** (2017-08-09) fixed by `commit 6f6bc1d (branch 3.4) `_ (2017-07-12) * Python **3.5.2** (2016-06-25) fixed by `commit d274b3f (branch 3.5) `_ (2016-04-18) * Python **3.6.0** (2016-12-22) fixed by `commit d274b3f (branch 3.5) `_ (2016-04-18) Python issue ------------ Directory traversal with http.server and SimpleHTTPServer on windows. * Python issue: `bpo-26657 `_ * Creation date: 2016-03-28 * Reporter: Thomas Timeline -------- Timeline using the disclosure date **2016-03-28** as reference: * 2016-03-28: `Python issue bpo-26657 `_ reported by Thomas * 2016-04-18 (**+21 days**): `commit 0cf2cf2 (branch 2.7) `_ * 2016-04-18 (**+21 days**): `commit d274b3f (branch 3.5) `_ * 2016-06-25 (**+89 days**): Python 2.7.12 released * 2016-06-25 (**+89 days**): Python 3.5.2 released * 2016-12-22: Python 3.6.0 released * 2017-07-12 (**+471 days**): `commit 6f6bc1d (branch 3.4) `_ * 2017-07-26 (**+485 days**): `commit 7b92f9f (branch 3.3) `_ * 2017-08-09 (**+499 days**): Python 3.4.7 released * 2017-09-19 (**+540 days**): Python 3.3.7 released