SimpleHTTPServer UTF-7¶
The list_directory()
function in Lib/SimpleHTTPServer.py
in
SimpleHTTPServer
in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and
2.7.x before 2.7.2 does not place a charset parameter in the Content-Type
HTTP header, which makes it easier for remote attackers to conduct
cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7
encoding.
Dates:
- Disclosure date: 2011-03-08 (Python issue bpo-11442 reported)
- Reported by: email received on the Python security list
Fixed In¶
- Python 2.5.6 (2011-05-26) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 2.6.7 (2011-06-03) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 2.7.2 (2011-06-11) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 3.2.4 (2013-04-07) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 3.3.1 (2013-04-07) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 3.4.0 (2014-03-16) fixed by commit 3853586 (branch 2.5) (2011-03-17)
Python issue¶
list_directory() in SimpleHTTPServer.py should add charset=… to Content-type header.
- Python issue: bpo-11442
- Creation date: 2011-03-08
- Reporter: Guido van Rossum
CVE-2011-4940¶
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
- CVE ID: CVE-2011-4940
- Published: 2012-06-27
- CVSS Score: 2.6
Timeline¶
Timeline using the disclosure date 2011-03-08 as reference:
- 2011-03-08: Python issue bpo-11442 reported by Guido van Rossum
- 2011-03-17 (+9 days): commit 3853586 (branch 2.5)
- 2011-05-26 (+79 days): Python 2.5.6 released
- 2011-06-03 (+87 days): Python 2.6.7 released
- 2011-06-11 (+95 days): Python 2.7.2 released
- 2012-06-27 (+477 days): CVE-2011-4940 published
- 2013-04-07 (+761 days): Python 3.2.4 released
- 2013-04-07 (+761 days): Python 3.3.1 released
- 2014-03-16: Python 3.4.0 released