The simple HTTP Server from the command line python3 -m http.server 80 only supports HEAD and GET requests. I believe it would be beneficial to also allow PUT requests to allow uploading to the folder where the http.server module was started.
I have already pulled down the repository and made the changes locally and tested them to disallow directory traversal as well as allow saving into sub-folders. When I went to created my pull request I was advised that a discussion needed to take place outside of the issue request.
I don’t think we want this functionality in the stdlib. The server is just for demo purposes, not to be seriously used. This seems too risky to me.
8 Likes
Can you link to the PR please?
Here is the link to the pull request. GitHub - cdiemel/cpython-http-server-put: Add put/post to python http.server
Security Concerns
There is the possibility of trying to upload and run a reverse shell, however the simple HTTP server does not interpret any of the code, it reads it as text/bin then sends it out. I attempted to subvert the process and was only able to get it to serve me HTTP.
I used the included PATH functionality and added a few checks in the PUT function to ensure that you cannot place files outside of the current DIR tree. I tried various different versions of ../../ and ./../ and well as URL encoding to get files placed in odd places and was unable to get them outside of the directory tree I had created.
I believe having PUT ability is no more risky than having GET ability and complements the already implemented GET function.
(post deleted by author)