gh-100001: Omit control characters in http.server stderr logs. (#100002)

Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
author: Gregory P. Smith <greg@krypto.org> 2022-12-05 20:55:45 (GMT)
committer: GitHub <noreply@github.com> 2022-12-05 20:55:45 (GMT)
commit: d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828 (patch)
tree: 5b4a9e65b34457adff349c81b34fba674414bf92 /Doc
parent: 530cc9dbb61df55b83f0219d2282980c9cb1cbd8 (diff)
download: cpython-d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828.zip
cpython-d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828.tar.gz
cpython-d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
index 81b6bf5..154f3f3 100644
--- a/Doc/library/http.server.rst
+++ b/Doc/library/http.server.rst
@@ -512,3 +512,10 @@ Security Considerations
 :class:`SimpleHTTPRequestHandler` will follow symbolic links when handling
 requests, this makes it possible for files outside of the specified directory
 to be served.
+
+Earlier versions of Python did not scrub control characters from the
+log messages emitted to stderr from ``python -m http.server`` or the
+default :class:`BaseHTTPRequestHandler` ``.log_message``
+implementation. This could allow to remote clients connecting to your
+server to send nefarious control codes to your terminal.
+
author	Gregory P. Smith <greg@krypto.org>	2022-12-05 20:55:45 (GMT)
committer	GitHub <noreply@github.com>	2022-12-05 20:55:45 (GMT)
commit	d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828 (patch)
tree	5b4a9e65b34457adff349c81b34fba674414bf92 /Doc
parent	530cc9dbb61df55b83f0219d2282980c9cb1cbd8 (diff)
download	cpython-d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828.zip cpython-d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828.tar.gz cpython-d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828.tar.bz2