[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why exception from os.path.exists()?

On Thu, Jun 7, 2018 at 7:29 PM, Marko Rauhamaa <marko at pacujo.net> wrote:
> This is a security risk. Here is a brief demonstration. Copy the example
> HTTP server from:
>    <URL: https://docs.python.org/3/library/http.server.html?highlight=h
>    ttp#http.server.SimpleHTTPRequestHandler>
> Run the server. Try these URLs in your browser:
>   1. http://localhost:8000/
>      => The directory listing is provided
>   2. http://localhost:8000/test.html
>      => A file is served or an HTTP error response (404) is generated
>   3. http://localhost:8000/te%00st.html
>      => The server crashes with a ValueError and the TCP connection is
>         reset

Actually, I couldn't even get Chrome to make that request, so it
obviously was considered by the browser to be invalid. Doing the
request with curl produced a traceback on the server and an empty
response in the client. (And then the server returns to handling
requests normally.) How is this a security risk, exactly? To be fair,
it's somewhat unideal behaviour - I would prefer to see an HTTP 500
come back if the server crashes - but I can't see that that's a
security problem. Just a QOS issue, wherein you might get a 500 rather
than a 404 for certain requests.