[Python-checkins] gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links (GH-94416) (GH-94493)
ambv
webhook-mailer at python.org
Fri Jul 1 12:41:44 EDT 2022
https://github.com/python/cpython/commit/cf1732619a61f7b7b5223ebaf6be6455d28257f2
commit: cf1732619a61f7b7b5223ebaf6be6455d28257f2
branch: 3.10
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: ambv <lukasz at langa.pl>
date: 2022-07-01T18:41:40+02:00
summary:
gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links (GH-94416) (GH-94493)
(cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf)
Co-authored-by: Sam Ezeh <sam.z.ezeh at gmail.com>
files:
M Doc/library/http.server.rst
M Doc/library/security_warnings.rst
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
index 0de02834401aa..8584f99d1567b 100644
--- a/Doc/library/http.server.rst
+++ b/Doc/library/http.server.rst
@@ -20,7 +20,7 @@ This module defines classes for implementing HTTP servers.
.. warning::
:mod:`http.server` is not recommended for production. It only implements
- basic security checks.
+ :ref:`basic security checks <http.server-security>`.
One class, :class:`HTTPServer`, is a :class:`socketserver.TCPServer` subclass.
It creates and listens at the HTTP socket, dispatching the requests to a
@@ -488,3 +488,14 @@ the following command uses a specific directory::
the ``--cgi`` option::
python -m http.server --cgi
+
+.. _http.server-security:
+
+Security Considerations
+-----------------------
+
+.. index:: pair: http.server; security
+
+:class:`SimpleHTTPRequestHandler` will follow symbolic links when handling
+requests, this makes it possible for files outside of the specified directory
+to be served.
diff --git a/Doc/library/security_warnings.rst b/Doc/library/security_warnings.rst
index 26b015c0f8fc7..3cc79413871f2 100644
--- a/Doc/library/security_warnings.rst
+++ b/Doc/library/security_warnings.rst
@@ -14,7 +14,7 @@ The following modules have specific security considerations:
argument disabling known insecure and blocked algorithms
<hashlib-usedforsecurity>`
* :mod:`http.server` is not suitable for production use, only implementing
- basic security checks
+ basic security checks. See the :ref:`security considerations <http.server-security>`.
* :mod:`logging`: :ref:`Logging configuration uses eval()
<logging-eval-security>`
* :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle
More information about the Python-checkins
mailing list