http.server: Document explicitly that symbolic links are followed

[vstinner]

BPO	36873
Nosy	@vstinner

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2019-05-10.03:41:31.078>
labels = ['type-security', '3.8', 'docs']
title = 'http.server: Document explicitly that symbolic links are followed'
updated_at = <Date 2019-05-10.03:41:31.078>
user = 'https://github.com/vstinner'

bugs.python.org fields:

activity = <Date 2019-05-10.03:41:31.078>
actor = 'vstinner'
assignee = 'docs@python'
closed = False
closed_date = None
closer = None
components = ['Documentation']
creation = <Date 2019-05-10.03:41:31.078>
creator = 'vstinner'
dependencies = []
files = []
hgrepos = []
issue_num = 36873
keywords = []
message_count = 1.0
messages = ['342054']
nosy_count = 2.0
nosy_names = ['vstinner', 'docs@python']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue36873'
versions = ['Python 3.8']

[vstinner]

http.server documentation starts with a red warning:

"Warning: http.server is not recommended for production. It only implements basic security checks."

https://docs.python.org/dev/library/http.server.html

It would help to be even more explicit on what it means. For example, document that symbolic links are followed and SimpleHTTPRequestHandler directory can be "escaped" following symbolic links.

[vstinner]

Thanks for fixing this old doc issue ;-)

[vstinner]

I created a new issue for more known vulnerabilities: #94531.