SimpleHTTPServer UTF-7¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
The list_directory()
function in Lib/SimpleHTTPServer.py
in
SimpleHTTPServer
in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and
2.7.x before 2.7.2 does not place a charset parameter in the Content-Type
HTTP header, which makes it easier for remote attackers to conduct
cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7
encoding.
Dates:
- Disclosure date: 2011-03-08 (Python issue bpo-11442 reported)
- Reported by: email received on the Python security list
Fixed In¶
- Python 2.5.6 (2011-05-28) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 2.6.7 (2011-06-04) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 2.7.2 (2011-06-11) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 3.2.4 (2013-04-06) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 3.3.1 (2013-04-06) fixed by commit 3853586 (branch 2.5) (2011-03-17)
- Python 3.4.0 (2014-03-16) fixed by commit 3853586 (branch 2.5) (2011-03-17)
Python issue¶
list_directory() in SimpleHTTPServer.py should add charset=… to Content-type header.
- Python issue: bpo-11442
- Creation date: 2011-03-08
- Reporter: Guido van Rossum
CVE-2011-4940¶
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
- CVE ID: CVE-2011-4940
- Published: 2012-06-27
- CVSS Score: 2.6
Timeline¶
Timeline using the disclosure date 2011-03-08 as reference:
- 2011-03-08: Python issue bpo-11442 reported by Guido van Rossum
- 2011-03-17 (+9 days): commit 3853586 (branch 2.5)
- 2011-05-28 (+81 days): Python 2.5.6 released
- 2011-06-04 (+88 days): Python 2.6.7 released
- 2011-06-11 (+95 days): Python 2.7.2 released
- 2012-06-27 (+477 days): CVE-2011-4940 published
- 2013-04-06 (+760 days): Python 3.2.4 released
- 2013-04-06 (+760 days): Python 3.3.1 released
- 2014-03-16: Python 3.4.0 released