Problem: The http.server module lets some control characters from the request thru which when emitted as is in a log message to a terminal can be used to control it or otherwise generate misleading output. python -m http.server is typically run within such a terminal.

Fix: The http.server default log_message() method needs to prevent printing of control characters.

Reported by David Leadbeater, G-Research on 2022-12-04

Linked PRs

• gh-100001: Omit control characters in http.server stderr logs. #100002
• [3.10] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) #100031
• [3.9] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) #100032
• [3.8] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) #100033
• [3.7] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) #100034
• [3.11] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) #100035
• gh-100001: Also escape \s in http.server log messages. #100038
• [3.11] gh-100001: Also escape \s in http.server log messages. (GH-100038) #100040
• [3.10] gh-100001: Also escape \s in http.server log messages. (GH-100038) #100041
• gh-100001: Remove doc typo, add versionadded #100042
• [3.11] gh-100001: Remove doc typo, add versionadded (GH-100042) #100043
• [3.10] gh-100001: Remove doc typo, add versionadded (GH-100042) #100044