Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links #94416

Merged
merged 2 commits into from Jul 1, 2022

Conversation

dignissimus
Copy link
Contributor

@dignissimus dignissimus commented Jun 29, 2022

Documents that SimpleHTTPRequestHandler follows symbolic links when handling requests and explains the security implications.

Resolves #81054

@bedevere-bot bedevere-bot added awaiting review docs Documentation in the Doc dir labels Jun 29, 2022
Copy link
Contributor

@ambv ambv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing this!

The current wording would suggest that following symlinks is the main (or even the only) security consideration of http.server which is far from the truth.

Instead of putting this information right in the "Warning" bar at the top, please create a "Security Considerations" section on the bottom of this page (http.server.rst). You can put your information there and we can later expand on it as needed.

Then you can link the word "security" in the "Warning" box to the new section, but more importantly you can put the new section here:

https://docs.python.org/3/library/security_warnings.html

@bedevere-bot
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@dignissimus dignissimus requested a review from ambv June 30, 2022 11:11
@ambv ambv merged commit 80aaeab into python:main Jul 1, 2022
@miss-islington
Copy link
Contributor

Thanks @dignissimus for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10, 3.11.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 1, 2022
…ic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot
Copy link

GH-94492 is a backport of this pull request to the 3.11 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.11 bug and security fixes label Jul 1, 2022
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 1, 2022
…ic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Jul 1, 2022
@bedevere-bot
Copy link

GH-94493 is a backport of this pull request to the 3.10 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 1, 2022
…ic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@miss-islington
Copy link
Contributor

Sorry, @dignissimus and @ambv, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf 3.8

@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label Jul 1, 2022
@miss-islington
Copy link
Contributor

Sorry @dignissimus and @ambv, I had trouble checking out the 3.7 backport branch.
Please backport using cherry_picker on command line.
cherry_picker 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf 3.7

@bedevere-bot
Copy link

GH-94494 is a backport of this pull request to the 3.9 branch.

ambv pushed a commit to ambv/cpython that referenced this pull request Jul 1, 2022
…symbolic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot bedevere-bot removed the needs backport to 3.8 only security fixes label Jul 1, 2022
@bedevere-bot
Copy link

GH-94495 is a backport of this pull request to the 3.8 branch.

ambv pushed a commit to ambv/cpython that referenced this pull request Jul 1, 2022
…symbolic links (pythonGH-94416)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@bedevere-bot
Copy link

GH-94496 is a backport of this pull request to the 3.7 branch.

ambv pushed a commit that referenced this pull request Jul 1, 2022
…ks (GH-94416) (GH-94492)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv pushed a commit that referenced this pull request Jul 1, 2022
…ks (GH-94416) (GH-94493)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv pushed a commit that referenced this pull request Jul 1, 2022
…ks (GH-94416) (GH-94494)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv added a commit that referenced this pull request Jul 1, 2022
…ic links (GH-94416) (GH-94495)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
ambv added a commit that referenced this pull request Jul 1, 2022
…ic links (GH-94416) (GH-94496)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
@vstinner
Copy link
Member

vstinner commented Jul 3, 2022

Oh, thank you that clarifying this in the documentation! That's helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs Documentation in the Doc dir skip news type-security A security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

http.server: Document explicitly that symbolic links are followed
6 participants