.. warning::
:mod:`http.server` is not recommended for production. It only implements
- basic security checks.
+ :ref:`basic security checks <http.server-security>`.
One class, :class:`HTTPServer`, is a :class:`socketserver.TCPServer` subclass.
It creates and listens at the HTTP socket, dispatching the requests to a
the ``--cgi`` option::
python -m http.server --cgi
+
+.. _http.server-security:
+
+Security Considerations
+-----------------------
+
+.. index:: pair: http.server; security
+
+:class:`SimpleHTTPRequestHandler` will follow symbolic links when handling
+requests, this makes it possible for files outside of the specified directory
+to be served.
argument disabling known insecure and blocked algorithms
<hashlib-usedforsecurity>`
* :mod:`http.server` is not suitable for production use, only implementing
- basic security checks
+ basic security checks. See the :ref:`security considerations <http.server-security>`.
* :mod:`logging`: :ref:`Logging configuration uses eval()
<logging-eval-security>`
* :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle
projects / thirdparty / Python / cpython.git / commitdiff
