I was pleased and surprised that the Python 3 one works with Termux on this cellphone. I've had trouble with Python socket stuff on here in the past, but now I suspect that may have been specific to IP multicast.
Huh? When I use SimpleHTTPServer with .. it just ignores the .. and keeps me in the same directory. Is the behavior different on different versions of python or something? Is there some special technique I don't know? I tried with '.' and with '%2e' .
Eh! That’s not true. I just tried and both Python 2.7.16 and Python 3.7.6 return a "404 Not Found” when I try to download and existing file that is located one or more levels up from the directory where the HTTP server was started. Here is a screenshot showing both results: https://i.imgur.com/uizp7zV.png
Same-origin policy prevents that specific attack, although the same idea exists if you’re not protected from DNS rebinding on localhost, and `--bind 127.0.0.1` (or some other way to block the port) is necessary – but the Pythons’ built-in HTTP servers aren’t vulnerable to path traversal anyway.
You might want to include a disclaimer that you're the author, maintainer and person behind the company that operates ngrok ;)
Just wanted to chime in and say I love ngrok too, not allow allows you to easily create proxies, it allows you to create proxies that also works on the public internet (ngrok assigns you a x.ngrok.io address) and with tcp connections. Great work on it inconshreveable!
You can replace . with any of your other cloud storage backends too (s3, google drive, dropbox, etc), or http with sftp, webdav, ftp, dlna. It works on Windos/macOS/Linux.
Using `nix` I have an alias called `serve` that runs `nix run nixpkgs.caddy -c caddy -host 0.0.0.0 -port 8000 browse` which will download Caddy if it is not in my cache and then run it. It's one of my favorite aliases and I use it way more frequently than I'd expect.
Unlike `python3 -m http.server`, `npx serve` doesn’t redirect `/path/to/dir` to `/path/to/dir/`. This is a problem if you are using relative paths in your `/path/to/dir/index.html`.
Huh .. that'd be a fun post; see how many of these can be susceptible for climbing out of their web root. The author does list which ones support dir indexes.
Caddy is a one-liner. Plenty of the one-liners are suitable for production. There are so many solutions that you might as well use one, even in development, that doesn't have such glaring issues, because you're basically training your muscle memory to reach for it.
70 comments
[ 4.8 ms ] story [ 139 ms ] threadThe same thing, in `batch` for Windows: https://github.com/rahuldottech/netcat-http-server-for-windo...
Or tcpserver from djb
.
Instructions for how to do that would be a helpful addition to this page.
Most of those people aren't aware how insecure they are.
For example, with the python SimpleHTTPServer I can simply request http://localhost/../../.ssh/id_rsa
All your SSH private keys are now mine. I can steal your browser cookie database and get into your email/Facebook/Twitter in the same way.
Any web page can request that, or any software on any machine on your local network.
I redid the tests, with curl's --path-as-is flag, as well as with raw TCP (via netcat), and SimpleHTTPServer is still not vulnerable.
Eh! That’s not true. I just tried and both Python 2.7.16 and Python 3.7.6 return a "404 Not Found” when I try to download and existing file that is located one or more levels up from the directory where the HTTP server was started. Here is a screenshot showing both results: https://i.imgur.com/uizp7zV.png
Did the directory you were serving contain any symbolic links to folders outside of that directory?
There have been bugs though, like https://bugs.python.org/issue26657
I think my localhost is different from your localhost.
This plus hosts file can be a quick way to test secure cookies, secure headers, etc.
ngrok http file:///Users/alan/share
Just wanted to chime in and say I love ngrok too, not allow allows you to easily create proxies, it allows you to create proxies that also works on the public internet (ngrok assigns you a x.ngrok.io address) and with tcp connections. Great work on it inconshreveable!
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/c...
(Rclone author ;-)
curl https://patchbay.pub/abcd1234.html --data-binary @index.html
[0] https://patchbay.pub
When -U is specified, it provides an upload form, allowing file uploads.
I guess I would normally just start with ‘path/to/dir/‘ or ‘/path/to/dir/index.html’
Edit: Didn't know there was an `eval` flag for Node, so that will do the job:
node --eval "var fs = require('fs'), http = require('http'); http.createServer(function (req, res) { fs.readFile(__dirname + req.url, function (err,data) { if (err) { res.writeHead(404); res.end(JSON.stringify(err)); return;}res.writeHead(200);res.end(data); });}).listen(8080);"
[2]: https://news.ycombinator.com/item?id=10436111
You don't need to fully install globally