Issue #26657: HTTP server directory traversal¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
Fix directory traversal vulnerability with http.server
and
SimpleHTTPServer
on Windows.
Regression of Python 3.3.5.
Python issue reported at 2016-03-14.
Dates:
- Disclosure date: 2016-03-28 (Python issue bpo-26657 reported)
Fixed In¶
- Python 2.7.12 (2016-06-25) fixed by commit 0cf2cf2 (branch 2.7) (2016-04-18)
- Python 3.3.7 (2017-09-19) fixed by commit 7b92f9f (branch 3.3) (2017-07-26)
- Python 3.4.7 (2017-08-09) fixed by commit 6f6bc1d (branch 3.4) (2017-07-12)
- Python 3.5.2 (2016-06-25) fixed by commit d274b3f (branch 3.5) (2016-04-18)
- Python 3.6.0 (2016-12-22) fixed by commit d274b3f (branch 3.5) (2016-04-18)
Python issue¶
Directory traversal with http.server and SimpleHTTPServer on windows.
- Python issue: bpo-26657
- Creation date: 2016-03-28
- Reporter: Thomas
Timeline¶
Timeline using the disclosure date 2016-03-28 as reference:
- 2016-03-28: Python issue bpo-26657 reported by Thomas
- 2016-04-18 (+21 days): commit 0cf2cf2 (branch 2.7)
- 2016-04-18 (+21 days): commit d274b3f (branch 3.5)
- 2016-06-25 (+89 days): Python 2.7.12 released
- 2016-06-25 (+89 days): Python 3.5.2 released
- 2016-12-22: Python 3.6.0 released
- 2017-07-12 (+471 days): commit 6f6bc1d (branch 3.4)
- 2017-07-26 (+485 days): commit 7b92f9f (branch 3.3)
- 2017-08-09 (+499 days): Python 3.4.7 released
- 2017-09-19 (+540 days): Python 3.3.7 released