SimpleHTTPServer UTF-7

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The list_directory() function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

Dates:

  • Disclosure date: 2011-03-08 (Python issue bpo-11442 reported)
  • Reported by: email received on the Python security list

Fixed In

Python issue

list_directory() in SimpleHTTPServer.py should add charset=… to Content-type header.

  • Python issue: bpo-11442
  • Creation date: 2011-03-08
  • Reporter: Guido van Rossum

CVE-2011-4940

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

Timeline

Timeline using the disclosure date 2011-03-08 as reference:

  • 2011-03-08: Python issue bpo-11442 reported by Guido van Rossum
  • 2011-03-17 (+9 days): commit 3853586 (branch 2.5)
  • 2011-05-28 (+81 days): Python 2.5.6 released
  • 2011-06-04 (+88 days): Python 2.6.7 released
  • 2011-06-11 (+95 days): Python 2.7.2 released
  • 2012-06-27 (+477 days): CVE-2011-4940 published
  • 2013-04-06 (+760 days): Python 3.2.4 released
  • 2013-04-06 (+760 days): Python 3.3.1 released
  • 2014-03-16: Python 3.4.0 released