.. _simplehttpserver-utf-7:

SimpleHTTPServer UTF-7
======================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2011-4940>`_.

The ``list_directory()`` function in ``Lib/SimpleHTTPServer.py`` in
``SimpleHTTPServer`` in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and
2.7.x before 2.7.2 does not place a charset parameter in the Content-Type
HTTP header, which makes it easier for remote attackers to conduct
cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7
encoding.

Dates:

* Disclosure date: **2011-03-08** (Python issue bpo-11442 reported)
* Reported by: email received on the Python security list

Fixed In
--------

* Python **2.5.6** (2011-05-28) fixed by `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_ (2011-03-17)
* Python **2.6.7** (2011-06-04) fixed by `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_ (2011-03-17)
* Python **2.7.2** (2011-06-11) fixed by `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_ (2011-03-17)
* Python **3.2.4** (2013-04-06) fixed by `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_ (2011-03-17)
* Python **3.3.1** (2013-04-06) fixed by `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_ (2011-03-17)
* Python **3.4.0** (2014-03-16) fixed by `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_ (2011-03-17)

Python issue
------------

list_directory() in SimpleHTTPServer.py should add charset=... to Content-type header.

* Python issue: `bpo-11442 <https://bugs.python.org/issue11442>`_
* Creation date: 2011-03-08
* Reporter: Guido van Rossum

CVE-2011-4940
-------------

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

* CVE ID: `CVE-2011-4940 <https://nvd.nist.gov/vuln/detail/CVE-2011-4940/>`_
* Published: 2012-06-27
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 2.6

Timeline
--------

Timeline using the disclosure date **2011-03-08** as reference:

* 2011-03-08: `Python issue bpo-11442 <https://bugs.python.org/issue11442>`_ reported by Guido van Rossum
* 2011-03-17 (**+9 days**): `commit 3853586 (branch 2.5) <https://github.com/python/cpython/commit/3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc>`_
* 2011-05-28 (**+81 days**): Python 2.5.6 released
* 2011-06-04 (**+88 days**): Python 2.6.7 released
* 2011-06-11 (**+95 days**): Python 2.7.2 released
* 2012-06-27 (**+477 days**): CVE-2011-4940 published
* 2013-04-06 (**+760 days**): Python 3.2.4 released
* 2013-04-06 (**+760 days**): Python 3.3.1 released
* 2014-03-16: Python 3.4.0 released