Issue #26657: HTTP server directory traversal

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Fix directory traversal vulnerability with http.server and SimpleHTTPServer on Windows.

Regression of Python 3.3.5.

Python issue reported at 2016-03-14.

Dates:

• Disclosure date: 2016-03-28 (Python issue bpo-26657 reported)

Fixed In

• Python 2.7.12 (2016-06-25) fixed by commit 0cf2cf2 (branch 2.7) (2016-04-18)
• Python 3.3.7 (2017-09-19) fixed by commit 7b92f9f (branch 3.3) (2017-07-26)
• Python 3.4.7 (2017-08-09) fixed by commit 6f6bc1d (branch 3.4) (2017-07-12)
• Python 3.5.2 (2016-06-25) fixed by commit d274b3f (branch 3.5) (2016-04-18)
• Python 3.6.0 (2016-12-22) fixed by commit d274b3f (branch 3.5) (2016-04-18)

Python issue

Directory traversal with http.server and SimpleHTTPServer on windows.

• Python issue: bpo-26657
• Creation date: 2016-03-28
• Reporter: Thomas

Timeline

Timeline using the disclosure date 2016-03-28 as reference:

• 2016-03-28: Python issue bpo-26657 reported by Thomas
• 2016-04-18 (+21 days): commit 0cf2cf2 (branch 2.7)
• 2016-04-18 (+21 days): commit d274b3f (branch 3.5)
• 2016-06-25 (+89 days): Python 2.7.12 released
• 2016-06-25 (+89 days): Python 3.5.2 released
• 2016-12-22: Python 3.6.0 released
• 2017-07-12 (+471 days): commit 6f6bc1d (branch 3.4)
• 2017-07-26 (+485 days): commit 7b92f9f (branch 3.3)
• 2017-08-09 (+499 days): Python 3.4.7 released
• 2017-09-19 (+540 days): Python 3.3.7 released