Why exception from os.path.exists()?
Chris Angelico
rosuav at gmail.com
Thu Jun 7 08:15:27 EDT 2018
On Thu, Jun 7, 2018 at 8:47 PM, Marko Rauhamaa <marko at pacujo.net> wrote:
> Chris Angelico <rosuav at gmail.com>:
>
>> On Thu, Jun 7, 2018 at 7:29 PM, Marko Rauhamaa <marko at pacujo.net> wrote:
>>> 3. http://localhost:8000/te%00st.html
>>>
>>> => The server crashes with a ValueError and the TCP connection is
>>> reset
>>>
>> it's somewhat unideal behaviour - I would prefer to see an HTTP 500
>> come back if the server crashes - but I can't see that that's a
>> security problem. Just a QOS issue, wherein you might get a 500 rather
>> than a 404 for certain requests.
>
> It's a demonstration of how this innocent-looking problem can lead to
> surprising and even serious consequences.
>
> The given URI is well-formed and should not give any particular trouble
> to any HTTP server.
You haven't demonstrated a security problem. Don't claim security
risks unless you can show there's at least a possibility of that;
otherwise, it's just FUD.
ChrisA
More information about the Python-list
mailing list