-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sensitive information disclosure #13
Comments
Proposes to prevent access to non-web directories |
I think you shouldn't run simple-http-server in |
I think it doesn't matter where it runs, it's a security hole. |
The permission of |
The behavior of using other web-servers is different from it |
But nginx can do that, https://serverfault.com/questions/588770/why-can-nginx-access-etc-pass |
I think simple-http-server is breaking user expectations by serving files above the current working directory. For python's http.server, A user who is not aware of this will be accidentally exposing their system to the network, particularly when they have the |
I also expected simple-http-server to only serve the current working directory. Is that really not the case? |
Serving files above the path the server was invoked in/with is a major security issue. @TheWaWaR This issue should be reopened. I will fix it today. Additionally after It's fixed all previous versions should be marked with a security notice. |
Sorry, it's definitely a serious problem. |
Fixed in #35 |
I could use a windows tester for #35 (comment) |
Thanks :D |
Readable to /etc/passwd file
http://your-ip/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
The text was updated successfully, but these errors were encountered: