advanced SimpleHTTPServer?
justin walters
walters.justin01 at gmail.com
Wed Nov 2 16:59:46 EDT 2016
On Wed, Nov 2, 2016 at 12:52 PM, Eric S. Johansson <esj at harvee.org> wrote:
> So this brings me back to my question. What is missing in
> SimpleHTTPServer to keep it from being secure enough?
>
There's no way to vet requests. You can't stop a request from accessing
anything
in the directory that SimpleHTTPServer is running in. I'm sure an
enterprising
individual could also probably access the shell session SimpleHTTPServer
is running in as well. I haven't looked into the internals very much, but
it is possible
an attacker could use eval() to run a Python script sent in a request body.
Not
sure about that last one. I'll have to try it myself and report back.
More information about the Python-list
mailing list