Why exception from os.path.exists()?
On 2018-06-08 03:42, Chris Angelico wrote:
> Apart from the one odd bug with SimpleHTTPServer not properly sending
> back 500s, I very much doubt that the original concern - namely that
> os.path.exists() and os.stat() raise ValueError if therels a %00 in
> the URL - can be abused effectively.
Dismissing HTTP 500s as "not a vulnerability" sounds reasonable enough
to me. But you're assuming that all other expressions of this bug in
applications will be at least as benign. I'm not sure that that's warranted.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature