Report of Open Redirect Vulnerability in Python 3.9.19 - Utilizing Simple HTTP

[hnagashimauu]

Bug Report

Description

We identified that when using Simple HTTP in Python 3.9.19 with the payload /\\oast.me/%2e%2e%2f, an open redirect vulnerability arises.
This could potentially allow attackers to redirect users to malicious websites or resources, leading to phishing attacks or the exploitation of sensitive information.

Steps to Reproduce

1. Run the following code with Python 3.9.19.

#!/usr/bin/env python3
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer

address = ''
port = 8080
Handler = SimpleHTTPRequestHandler
TCPServer((address, port), Handler).serve_forever()

2. Craft a payload containing /\\oast.me/%2e%2e%2f..
3. Attempt to access the server with the crafted payload.
4. Observe the redirection behavior.

Output of curl

$ curl --noproxy "*" -I -x GET http://127.0.0.1:8080/\\oast.me/%2e%2e%2f
HTTP/1.0 301 Moved Permanently
Server: SimpleHTTP/0.6 Python/3.9.19
Date: Mon, 21 Apr 2025 11:06:08 GMT
Location: /\oast.me/%2e%2e%2f/
Content-Length: 0

Issue

If the URL path contains /\\oast.me/%2e%2e%2f, the response of Location header includes /\oast.me/%2e%2e%2f/.
It redirects to http://oast.me/..%2f/.

Expected Result

If the Location header starts with /, it is interpreted as a relative path on the same server.

Version

3.9.19
3.9.21
3.8.18
3.12.5

OS

Ubuntu 20.04.6 LTS

Related Issue

#118312

[hugovk]

This could potentially allow attackers to redirect users to malicious websites or resources, leading to phishing attacks or the exploitation of sensitive information.

Keep in mind the big warning at the top of https://docs.python.org/3/library/http.server.html :

Warning: http.server is not recommended for production. It only implements basic security checks.

[ZeroIntensity]

Keep in mind the big warning at the top of https://docs.python.org/3/library/http.server.html :

That said, I think this probably falls under the category of "basic security checks." I've tentatively added all the version labels, but I'm also fine with backporting this to only 3.13 as a bugfix.

[picnixz]

http.server is really meant to be used for serving files locally, and/or in a testing envionrment, or in an environment that students need to attack for whatever reasons. I won't consider this a security issue personally and I wouldn't bother indicating this as well.

Making it so to avoid open redirect vulnerabilities is honestly too much for this module. cc @gpshead