Current behavior has long been known (#54440 (comment)) and documented but it seems that leaving it is not the best solution, especially when it is easy to fix.

I suggest adding a check that the source file is not located above the current directory, otherwise return Forbidden.

Can be reproduced by next steps:

$ mkdir workdir
$ echo "SECRET CONTENT" > secret.txt
$ ln -s secret.txt workdir/leak.txt
$ python -m http.server 8000 -d workdir
$ curl http://localhost:8000/leak.txt
SECRET CONTENT

We can implement this by adding a similar check to SimpleHTTPRequestHandler.translate_path method:

    def translate_path(self, path):
        # previous checks
        real_base = os.path.realpath(self.directory)
        real_path = os.path.realpath(path)

        if not real_path.startswith(real_base):
            self.send_error(403, "Forbidden")
            return ""
        return path

I can send PR