New submission from longwenzhang <pakeca...@outlook.com>: There is a Path Traversal vulnerability in https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py (on windows platform), Steps to reproduce: 1.Run the script https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py 2.If you visit the https://127.0.0.1:4433/ , you will see the files in the current directory, But if you visit the https://127.0.0.1:4433/c:../,you will jump to parent directory, and if you visit https://127.0.0.1:4433/d:../ , you will see the files of D:\ 3.I'm sure it’s a Path Traversal and I think the problem is at https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py#L71 , there is no check about “word”.
---------- components: Tests messages: 352844 nosy: longwenzhang priority: normal severity: normal status: open title: A Path Traversal vulnerability in ssl_servers.py type: security versions: Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue38230> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
