diff options
| author | Benjamin Peterson <benjamin@python.org> | 2013-10-30 16:50:18 (GMT) |
|---|---|---|
| committer | Benjamin Peterson <benjamin@python.org> | 2013-10-30 16:50:18 (GMT) |
| commit | a50f89954d206e063d653b847a4b5bbc8c0abb8c (patch) | |
| tree | c2b0ef78b0cdacf5eeb8b9b5015ee106e4d98db1 | |
| parent | 8f169489c484cd4918a6dd0fde712cd11f1d4367 (diff) | |
| parent | 35aca89617c14e0a15f728e4991eac8c01ccf170 (diff) | |
| download | cpython-a50f89954d206e063d653b847a4b5bbc8c0abb8c.zip cpython-a50f89954d206e063d653b847a4b5bbc8c0abb8c.tar.gz cpython-a50f89954d206e063d653b847a4b5bbc8c0abb8c.tar.bz2 | |
merge 3.2 (#19435)
| -rw-r--r-- | Lib/http/server.py | 9 | ||||
| -rw-r--r-- | Lib/test/test_httpservers.py | 12 | ||||
| -rw-r--r-- | Misc/NEWS | 1 |
3 files changed, 17 insertions, 5 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index ebc2a8f..2bfda12 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -987,18 +987,17 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): def run_cgi(self): """Execute a CGI script.""" - path = self.path dir, rest = self.cgi_info - i = path.find('/', len(dir) + 1) + i = rest.find('/') while i >= 0: - nextdir = path[:i] - nextrest = path[i+1:] + nextdir = rest[:i] + nextrest = rest[i+1:] scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest - i = path.find('/', len(dir) + 1) + i = rest.find('/') else: break diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index b8bbcb6..9dd2778 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -325,6 +325,7 @@ class CGIHTTPServerTestCase(BaseTestCase): self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin') os.mkdir(self.cgi_dir) + self.nocgi_path = None self.file1_path = None self.file2_path = None @@ -345,6 +346,11 @@ class CGIHTTPServerTestCase(BaseTestCase): self.tearDown() self.skipTest("Python executable path is not encodable to utf-8") + self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py') + with open(self.nocgi_path, 'w') as fp: + fp.write(cgi_file1 % self.pythonexe) + os.chmod(self.nocgi_path, 0o777) + self.file1_path = os.path.join(self.cgi_dir, 'file1.py') with open(self.file1_path, 'w', encoding='utf-8') as file1: file1.write(cgi_file1 % self.pythonexe) @@ -362,6 +368,8 @@ class CGIHTTPServerTestCase(BaseTestCase): os.chdir(self.cwd) if self.pythonexe != sys.executable: os.remove(self.pythonexe) + if self.nocgi_path: + os.remove(self.nocgi_path) if self.file1_path: os.remove(self.file1_path) if self.file2_path: @@ -418,6 +426,10 @@ class CGIHTTPServerTestCase(BaseTestCase): self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status)) + def test_issue19435(self): + res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh') + self.assertEqual(res.status, 404) + def test_post(self): params = urllib.parse.urlencode( {'spam' : 1, 'eggs' : 'python', 'bacon' : 123456}) @@ -13,6 +13,7 @@ Core and Builtins Library ------- +- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler. What's New in Python 3.3.3 release candidate 1? |