Adding PUT functionality to http.server

The simple HTTP Server from the command line python3 -m http.server 80 only supports HEAD and GET requests. I believe it would be beneficial to also allow PUT requests to allow uploading to the folder where the http.server module was started.

I have already pulled down the repository and made the changes locally and tested them to disallow directory traversal as well as allow saving into sub-folders. When I went to created my pull request I was advised that a discussion needed to take place outside of the issue request.

I don’t think we want this functionality in the stdlib. The server is just for demo purposes, not to be seriously used. This seems too risky to me.


Can you link to the PR please?

Here is the link to the pull request. GitHub - cdiemel/cpython-http-server-put: Add put/post to python http.server

Security Concerns

There is the possibility of trying to upload and run a reverse shell, however the simple HTTP server does not interpret any of the code, it reads it as text/bin then sends it out. I attempted to subvert the process and was only able to get it to serve me HTTP.

I used the included PATH functionality and added a few checks in the PUT function to ensure that you cannot place files outside of the current DIR tree. I tried various different versions of ../../ and ./../ and well as URL encoding to get files placed in odd places and was unable to get them outside of the directory tree I had created.

I believe having PUT ability is no more risky than having GET ability and complements the already implemented GET function.

(post deleted by author)