Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

gh-104711: Add security warning to the CGIHTTPRequestHandler document #115915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 1, 2024
Merged

gh-104711: Add security warning to the CGIHTTPRequestHandler document #115915

merged 3 commits into from
Mar 1, 2024

Conversation

aisk
Copy link
Contributor

@aisk aisk commented Feb 25, 2024
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot added awaiting review docs Documentation in the Doc dir skip news labels Feb 25, 2024
@bedevere-app bedevere-app bot mentioned this pull request Feb 25, 2024
Open
@zooba
Copy link
Member

zooba commented Feb 27, 2024

It's a starting point, but let's focus on "only use for trusted clients". We're not going to remove it, we just don't want people expecting that it's safe to let people they don't trust access it over the internet.

@zooba
Copy link
Member

zooba commented Feb 28, 2024

Oh I just noticed the deprecation/pending removal message directly above in the file, so I guess we are planning to remove it. There probably isn't any need to add an extra warning in that case?

I don't know where the deprecation was decided, or if it was for security reasons. If so, we could just mention in the deprecation message that this should not be used for public-facing services and not add another warning. Otherwise, maybe the security section that immediately follows is a better place to mention it (and easier to backport, too).

@aisk
Copy link
Contributor Author

aisk commented Mar 1, 2024

There probably isn't any need to add an extra warning in that case?

Maybe some people have noticed that GCI-related functionalities will be removed in the future, but they still want to use them as a temporary solution. Therefore, I think we should still add the warning to let them know there are security issues.

If so, we could just mention in the deprecation message that this should not be used for public-facing services and not add another warning. Otherwise, maybe the security section that immediately follows is a better place to mention it (and easier to backport, too).

Currently, the warning is just below the deprecation message, and in the CGI handler section. I think it should be okay. And I think it should be a warning, so the actual page will show a red block, and it will be more noticeable. In the future, this CGI section can be wholly deleted and easily backported.

zooba
zooba reviewed Mar 1, 2024
View reviewed changes
Doc/library/http.server.rst Outdated Show resolved Hide resolved
@aisk @zooba
Update Doc/library/http.server.rst
c243b37 
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
@zooba
Copy link
Member

zooba commented Mar 1, 2024

LGTM, let me know when you're happy to merge.

@aisk
Copy link
Contributor Author

aisk commented Mar 1, 2024

Thanks for the review! I think this change is ready to merge.

@zooba zooba added needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Mar 1, 2024
@zooba zooba merged commit dac8ff4 into python:main Mar 1, 2024
@miss-islington-app
Copy link

Thanks @aisk for the PR, and @zooba for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11, 3.12.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry, @aisk and @zooba, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker dac8ff4c401f75e65a5eef1514f2d7987e63bbfe 3.12

@miss-islington-app
Copy link

Sorry, @aisk and @zooba, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker dac8ff4c401f75e65a5eef1514f2d7987e63bbfe 3.11

aisk added a commit to aisk/cpython that referenced this pull request Mar 2, 2024
@aisk
[3.12] pythongh-104711: Add security warning to the CGIHTTPRequestHan…
9fd7339 
…dler document (pythonGH-115915)

(cherry picked from commit dac8ff4)

Co-authored-by: AN Long <aisk@users.noreply.github.com>
@bedevere-app
Copy link

bedevere-app bot commented Mar 2, 2024

GH-116235 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Mar 2, 2024
@bedevere-app
Copy link

bedevere-app bot commented Mar 2, 2024

GH-116236 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Mar 2, 2024
aisk added a commit to aisk/cpython that referenced this pull request Mar 2, 2024
@aisk
[3.11] pythongh-104711: Add security warning to the CGIHTTPRequestHan…
ebc7064 
…dler document (pythonGH-115915)

(cherry picked from commit dac8ff4)

Co-authored-by: AN Long <aisk@users.noreply.github.com>
@aisk aisk deleted the cgi-warning branch March 2, 2024 05:55
@aisk
Copy link
Contributor Author

aisk commented Mar 2, 2024

Sorry, as you pointed out, these changes introduced a conflict during the backport 😂. I resolved it manually.

zooba pushed a commit that referenced this pull request Mar 4, 2024
@aisk
gh-104711: Add security warning to the CGIHTTPRequestHandler document (
eb0603b 
…GH-115915)

(cherry picked from commit dac8ff4)
zooba pushed a commit that referenced this pull request Mar 4, 2024
@aisk
gh-104711: Add security warning to the CGIHTTPRequestHandler document (
b6077aa 
…GH-115915)

(cherry picked from commit dac8ff4)
@zooba
Copy link
Member

zooba commented Mar 4, 2024

Thanks! Merged now

woodruffw pushed a commit to woodruffw-forks/cpython that referenced this pull request Mar 4, 2024
@aisk @woodruffw
pythongh-104711: Add security warning to the CGIHTTPRequestHandler do…
a954d7b 
…cument (pythonGH-115915)
adorilson pushed a commit to adorilson/cpython that referenced this pull request Mar 25, 2024
@aisk @adorilson
pythongh-104711: Add security warning to the CGIHTTPRequestHandler do…
c2c0d8c 
…cument (pythonGH-115915)
diegorusso pushed a commit to diegorusso/cpython that referenced this pull request Apr 17, 2024
@aisk @diegorusso
pythongh-104711: Add security warning to the CGIHTTPRequestHandler do…
7f8fe69 
…cument (pythonGH-115915)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zooba zooba zooba left review comments

Assignees

@zooba zooba

Labels
docs Documentation in the Doc dir skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aisk @zooba
Morty Proxy This is a proxified and sanitized view of the page, visit original site.