python -m http.server log messages to stderr can emit raw data
#100001
Assignees
Labels
Comments
gpshead
added
type-bug
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Dec 5, 2022
gpshead
added a commit
that referenced
this issue
Dec 5, 2022
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
…ythonGH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <greg@krypto.org>
This was referenced Dec 5, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
…ythonGH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <greg@krypto.org>
This was referenced Dec 5, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
…ythonGH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
…ythonGH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Dec 5, 2022
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line.
|
The existing pending & merged PRs on release branches are sufficient to address the potential security issue and should unblock the release. PR #100038 makes it possible to still be able to parse a http.server log_message without ambiguity. I've already incorporated it into the not yet merged 3.9/3.8/3.7 backport PRs and will run backports of it to the 3.10 and 3.11 branches. |
gpshead
added a commit
that referenced
this issue
Dec 5, 2022
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line.
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
…H-100038) Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. (cherry picked from commit 7e29398) Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
…H-100038) Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. (cherry picked from commit 7e29398) Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
I added release-blocker tags to the pending PRs. I'm closing the issue itself now as it's resolved, just awaiting some CI & branch merges. |
Repository owner
moved this from In Progress
to Done
in Release and Deferred blockers 🚫
Dec 5, 2022
miss-islington
added a commit
that referenced
this issue
Dec 5, 2022
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. (cherry picked from commit 7e29398) Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington
added a commit
that referenced
this issue
Dec 5, 2022
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. (cherry picked from commit 7e29398) Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Dec 5, 2022
gpshead
added a commit
that referenced
this issue
Dec 5, 2022
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
(cherry picked from commit bed15f8) Co-authored-by: Gregory P. Smith <greg@krypto.org> pythongh-100001: Remove new doc typo, add versionadded.
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Dec 5, 2022
(cherry picked from commit bed15f8) Co-authored-by: Gregory P. Smith <greg@krypto.org> pythongh-100001: Remove new doc typo, add versionadded.
ambv
pushed a commit
that referenced
this issue
Dec 6, 2022
…H-100002) (#100033) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <greg@krypto.org> * also escape \s (backport of PR #100038). * add versionadded and remove extraneous 'to' Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv
pushed a commit
that referenced
this issue
Dec 6, 2022
…H-100002) (#100032) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <greg@krypto.org> * also escape \s (backport of PR #100038). * add versionadded and remove extra 'to' Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv
pushed a commit
that referenced
this issue
Dec 6, 2022
ambv
pushed a commit
that referenced
this issue
Dec 6, 2022
This was referenced Apr 24, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem: The
http.servermodule lets some control characters from the request thru which when emitted as is in a log message to a terminal can be used to control it or otherwise generate misleading output.python -m http.serveris typically run within such a terminal.Fix: The
http.serverdefaultlog_message()method needs to prevent printing of control characters.Reported by David Leadbeater, G-Research on 2022-12-04
Linked PRs
The text was updated successfully, but these errors were encountered: