The simple HTTP Server from the command line python3 -m http.server 80
only supports HEAD and GET requests. I believe it would be beneficial to also allow PUT requests to allow uploading to the folder where the http.server
module was started.
I have already pulled down the repository and made the changes locally and tested them to disallow directory traversal as well as allow saving into sub-folders. When I went to created my pull request I was advised that a discussion needed to take place outside of the issue request.
I don’t think we want this functionality in the stdlib. The server is just for demo purposes, not to be seriously used. This seems too risky to me.
Can you link to the PR please?
Here is the link to the pull request. GitHub - cdiemel/cpython-http-server-put: Add put/post to python http.server
Security Concerns
There is the possibility of trying to upload and run a reverse shell, however the simple HTTP server does not interpret any of the code, it reads it as text/bin then sends it out. I attempted to subvert the process and was only able to get it to serve me HTTP.
I used the included PATH functionality and added a few checks in the PUT function to ensure that you cannot place files outside of the current DIR tree. I tried various different versions of ../../
and ./../
and well as URL encoding to get files placed in odd places and was unable to get them outside of the directory tree I had created.
I believe having PUT
ability is no more risky than having GET
ability and complements the already implemented GET
function.
(post deleted by author)