Commit Graph

148 Commits

Author SHA1 Message Date
Gregory P. Smith 59073c9ab8
gh-109096: Deprecate `http.server.CGIHTTPRequestHandler` (#109387)
Deprecate `http.server.CGIHTTPRequestHandler`.

Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
2023-09-15 14:26:45 -07:00
Ben Kallus cf720acfcb
gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (#103205)
Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.

---------

Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
2023-05-12 13:25:58 -07:00
Ethan Furman c7c3a60c88
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (#104067)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

---------

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
2023-05-03 03:42:00 +00:00
Ethan Furman a286caa937
gh-91219: http - use subclassing to override index_pages attribute (GH-100731)
Remove previously added parameter to `__init__`, and recommend subclassing to modify the `index_pages` attribute instead.
2023-01-03 15:20:08 -08:00
James Frost 46e6a28308
gh-100474: Fix handling of dirs named index.html in http.server (GH-100475)
If you had a directory called index.html or index.htm within a directory, it would cause http.server to return a 404 Not Found error instead of the directory listing. This came about due to not checking that the index was a regular file.

I have also added a test case for this situation.

Automerge-Triggered-By: GH:merwok
2022-12-24 10:28:59 -08:00
Gregory P. Smith 7e29398407
gh-100001: Also escape \s in http.server log messages. (#100038)
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was.  Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
2022-12-05 14:27:55 -08:00
Gregory P. Smith d8ab0a4dfa
gh-100001: Omit control characters in http.server stderr logs. (#100002)
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
2022-12-05 12:55:45 -08:00
Myron Walker 9a95fa9267
gh-91219: Add an index_pages default list and parameter to SimpleHTTPRequestHandler (GH-31985)
* Add an index_pages default list to SimpleHTTPRequestHandler and an
optional constructor parameter that allows the default indexes pages
list to be overridden.  This makes it easy to set a new index page name
without having to override send_head.
2022-06-23 13:30:44 -07:00
Gregory P. Smith 4abab6b603
gh-87389: Fix an open redirection vulnerability in http.server. (#93879)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
2022-06-21 13:16:57 -07:00
Géry Ogam 2d30adee72
bpo-46285: Add command-line option -p/--protocol to module http.server (#30999)
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
2022-05-02 16:28:45 -06:00
Dong-hee Na 0bb40a42d7
closes bpo-46736: SimpleHTTPRequestHandler now uses HTML5. (GH-31533)
Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
2022-02-23 09:59:32 -08:00
Géry Ogam 2d080347d7
bpo-46436: Fix command-line option -d/--directory in module http.server (GH-30701)
Fix command-line option -d/--directory in http.server main
function that was ignored when combined with --cgi.

Automerge-Triggered-By: GH:merwok
2022-02-03 07:51:05 -08:00
Binbin 17b16e13bb
Fix typos in multiple files (GH-26689)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
2021-06-12 22:47:44 -04:00
Stephen Rosen fb42725561
bpo-43972: Set content-length to 0 for http.server.SimpleHTTPRequestHandler 301s (GH-25705)
* Set content-length for simple http server 301s

When http.server.SimpleHTTPRequestHandler sends a 301 (Moved
Permanently) due to a missing file, it does not set a Content-Length
of 0. Unfortunately, certain clients can be left waiting for the
connection to be closed in this circumstance, even though no body
will be sent. At time of writing, both curl and Firefox demonstrate
this behavior.

* Test Content-Length on simple http server redirect

When serving a redirect, the SimpleHTTPRequestHandler will now send
`Content-Length: 0`. Several tests for http.server already cover
various behaviors and checks including redirection. This change only
adds one check for the expected Content-Length on the simplest case
for a redirect.

* Add news entry for SimpleHTTPRequestHandler fix

* Clarify the specific kind of 301

Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
2021-05-06 12:25:52 -07:00
Senthil Kumaran da3d2abe6b
GH-5054: CGIHTTPRequestHandler.run_cgi() HTTP_ACCEPT improperly parsed (#23638) 2020-12-05 05:26:24 -08:00
Senthil Kumaran 3ec9d01901
Remove the conditional for setting query. (#23604) 2020-12-02 19:48:14 -08:00
Christian Heimes 03c8ddd9e9
bpo-42413: socket.timeout is now an alias of TimeoutError (GH-23413)
Signed-off-by: Christian Heimes <christian@python.org>
2020-11-20 00:26:07 -08:00
Victor Stinner 9a679a0e47
bpo-40094: CGIHTTPRequestHandler logs exit code (GH-19285)
CGIHTTPRequestHandler of http.server now logs the CGI script exit
code, rather than the CGI script exit status of os.waitpid().

For example, if the script is killed by signal 11, it now logs:
"CGI script exit code -11."
2020-04-02 03:42:05 +02:00
An Long 5907e61a8d bpo-35292: Avoid calling mimetypes.init when http.server is imported (GH-17822) 2020-01-08 10:28:14 -08:00
Jason R. Coombs 7cdc31a14c
bpo-38907: Suppress any exception when attempting to set V6ONLY. (GH-17864)
Fixes error attempting to bind to IPv4 address.
2020-01-06 07:59:36 -05:00
Jason R. Coombs ee94bdb059
bpo-38907: In http.server script, restore binding to IPv4 on Windows. (GH-17851) 2020-01-05 22:32:19 -05:00
Siwon Kang 91daa9d722 bpo-38863: Improve is_cgi() in http.server (GH-17312)
is_cgi() function of http.server library does not currently handle a
cgi script if one of the cgi_directories is located at the
sub-directory of given path. Since is_cgi() in CGIHTTPRequestHandler
class separates given path into (dir, rest) based on the first seen
'/', multi-level directories like /sub/dir/cgi-bin/hello.py is divided
into head=/sub, rest=dir/cgi-bin/hello.py then check whether '/sub'
exists in cgi_directories = [..., '/sub/dir/cgi-bin'].
This patch makes the is_cgi() keep expanding dir part to the next '/'
then checking if that expanded path exists in the cgi_directories.

Signed-off-by: Siwon Kang <kkangshawn@gmail.com>





https://bugs.python.org/issue38863
2019-11-22 01:13:05 -08:00
Géry Ogam 781266ebb6 bpo-35640: Allow passing PathLike arguments to SimpleHTTPRequestHandler (GH-11398) 2019-09-11 14:03:46 +01:00
Jason R. Coombs f289084c83
bpo-24209: In http.server script, rely on getaddrinfo to bind to preferred address based on the bind parameter. (#11767)
In http.server script, rely on getaddrinfo to bind to preferred address based on the bind parameter.

As a result, now IPv6 is used as the default (including IPv4 on dual-stack systems). Enhanced tests.
2019-02-07 08:22:45 -05:00
Michael Felt 2062a20641 bpo-34711: Return HTTPStatus.NOT_FOUND if path.endswith('/') and not a directory (GH-9687)
AIX allows a trailing slash on local file system paths, which isn't what we want
in http.server. Accordingly, check explicitly for this case in the server code,
rather than relying on the OS raising an exception.

Patch by Michael Felt.
2018-12-26 15:43:42 +10:00
Lisa Roach 433433fa6d
Adds IPv6 support when invoking http.server directly. (GH-10595) 2018-11-26 10:43:38 -08:00
ValeriyaSinevich b36b0a3765 bpo-33663: Convert content length to string before putting to header (GH-7754) 2018-06-18 14:17:53 -07:00
Géry Ogam 1cee216cf3 bpo-31639: Change ThreadedHTTPServer to ThreadingHTTPServer class name (GH-7195) 2018-05-29 22:10:30 +02:00
Julien Palard 8bcfa02e4b
bpo-31639: Use threads in http.server module. (GH-5018) 2018-03-23 17:40:33 +01:00
Serhiy Storchaka 13ad3b7a82 bpo-31462: Remove trailing whitespaces. (#3564) 2017-09-14 09:38:36 +03:00
Stéphane Wirtel a17a2f52c4 bpo-28707: Add the directory parameter to http.server.SimpleHTTPRequestHandler and http.server module (#1776)
* bpo-28707: call the constructor of SimpleHTTPRequestHandler in the test with a mock object

* bpo-28707: Add the directory parameter to http.server.SimpleHTTPRequestHandler and http.server module
2017-05-24 00:29:06 -07:00
Serhiy Storchaka 7e4db2f253 bpo-30166: Import command-line parsing modules only when needed. (#1293) 2017-05-04 08:17:47 +03:00
Pierre Quentel 351adda54b bpo-29654 : Support If-Modified-Since HTTP header (browser cache) (#298)
Return 304 response if file was not modified.
2017-04-02 13:26:12 +03:00
Martin Panter e82338ddab Issue #28548: Parse HTTP request version even if too many words received 2016-11-19 01:06:37 +00:00
Martin Panter 40de69ac58 Issue #25738: Merge HTTP server from 3.5 2016-06-08 09:45:58 +00:00
Martin Panter e42e129ebe Issue #25738: Don’t send message body for 205 Reset Content
Patch by Susumu Koshiba.
2016-06-08 08:29:13 +00:00
Berker Peksag 3a31cca4ab Issue #24902: Print server URL on http.server startup
Initial patch by Felix Kaiser.
2016-04-29 16:48:11 +03:00
Martin Panter 791ac54a44 Issue #26657: Merge http.server fix from 3.5 2016-04-18 07:16:17 +00:00
Martin Panter d274b3f1f1 Issue #26657: Fix Windows directory traversal vulnerability with http.server
Based on patch by Philipp Hagemeister.  This fixes a regression caused by
revision f4377699fd47.
2016-04-18 03:45:18 +00:00
Martin Panter 0cab9c1eba Issue #26404: Add context manager to socketserver, by Aviv Palivoda 2016-04-13 00:36:52 +00:00
Martin Panter da3bb38452 Issue #26585: Eliminate _quote_html() and use html.escape(quote=False)
Patch by Xiang Zhang.
2016-04-11 00:40:08 +00:00
Martin Panter 50badad807 Issue #26586: Simple enhancements to BaseHTTPRequestHandler by Xiang Zhang 2016-04-03 01:28:53 +00:00
Martin Panter b93e4b2480 Issue #26586: Merge excessive HTTP header handling from 3.5 2016-04-03 01:28:49 +00:00
Martin Panter acc03195b0 Issue #26586: Handle excessive header fields in http.server, by Xiang Zhang 2016-04-03 00:45:46 +00:00
Berker Peksag 04bc5b9e48 Issue #747320: Use email.utils.formatdate() to avoid code duplication
in BaseHTTPRequestHandler

Initial patch by karlcow.
2016-03-14 06:06:03 +02:00
Martin Panter 3f930dcd87 Merge typo fixes from 3.4 into 3.5 2015-10-07 11:01:47 +00:00
Martin Panter 9955a373a8 Various minor typos in documentation and comments 2015-10-07 10:26:23 +00:00
Martin Panter 56b76d25dd Issues #25232, #24657: Merge two CGI server fixes from 3.4 into 3.5 2015-10-03 06:03:25 +00:00
Martin Panter cb29e8c0e5 Issue #24657: Prevent CGIRequestHandler from collapsing the URL query
Initial patch from Xiang Zhang. Also fix out-of-date _url_collapse_path() doc
string.
2015-10-03 05:55:46 +00:00
Martin Panter a02e18a43f Issue #25232: Fix CGIRequestHandler's splitting of URL query
Patch from Xiang Zhang.
2015-10-03 05:38:07 +00:00