summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2013-10-30 16:48:59 (GMT)
committerBenjamin Peterson <benjamin@python.org>2013-10-30 16:48:59 (GMT)
commit35aca89617c14e0a15f728e4991eac8c01ccf170 (patch)
tree195aefb6f16661914ac3b5649adbebe54f5dea34
parent58bf8d2a688cf0fe180ed929568d0294a32ef5de (diff)
parent04e9de40f380b2695f955d68f2721d57cecbf858 (diff)
downloadcpython-35aca89617c14e0a15f728e4991eac8c01ccf170.zip
cpython-35aca89617c14e0a15f728e4991eac8c01ccf170.tar.gz
cpython-35aca89617c14e0a15f728e4991eac8c01ccf170.tar.bz2
merge 3.1 (#19435)
-rw-r--r--Lib/http/server.py9
-rw-r--r--Lib/test/test_httpservers.py12
-rw-r--r--Misc/NEWS2
3 files changed, 18 insertions, 5 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 5569037..bcfe894 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -968,18 +968,17 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
def run_cgi(self):
"""Execute a CGI script."""
- path = self.path
dir, rest = self.cgi_info
- i = path.find('/', len(dir) + 1)
+ i = rest.find('/')
while i >= 0:
- nextdir = path[:i]
- nextrest = path[i+1:]
+ nextdir = rest[:i]
+ nextrest = rest[i+1:]
scriptdir = self.translate_path(nextdir)
if os.path.isdir(scriptdir):
dir, rest = nextdir, nextrest
- i = path.find('/', len(dir) + 1)
+ i = rest.find('/')
else:
break
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index d71da1a..f8198f8 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -322,6 +322,7 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.parent_dir = tempfile.mkdtemp()
self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
os.mkdir(self.cgi_dir)
+ self.nocgi_path = None
self.file1_path = None
self.file2_path = None
@@ -342,6 +343,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.tearDown()
self.skipTest("Python executable path is not encodable to utf-8")
+ self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')
+ with open(self.nocgi_path, 'w') as fp:
+ fp.write(cgi_file1 % self.pythonexe)
+ os.chmod(self.nocgi_path, 0o777)
+
self.file1_path = os.path.join(self.cgi_dir, 'file1.py')
with open(self.file1_path, 'w', encoding='utf-8') as file1:
file1.write(cgi_file1 % self.pythonexe)
@@ -359,6 +365,8 @@ class CGIHTTPServerTestCase(BaseTestCase):
os.chdir(self.cwd)
if self.pythonexe != sys.executable:
os.remove(self.pythonexe)
+ if self.nocgi_path:
+ os.remove(self.nocgi_path)
if self.file1_path:
os.remove(self.file1_path)
if self.file2_path:
@@ -415,6 +423,10 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
(res.read(), res.getheader('Content-type'), res.status))
+ def test_issue19435(self):
+ res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')
+ self.assertEqual(res.status, 404)
+
def test_post(self):
params = urllib.parse.urlencode(
{'spam' : 1, 'eggs' : 'python', 'bacon' : 123456})
diff --git a/Misc/NEWS b/Misc/NEWS
index 6488b75..e8054cf 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 3.2.6?
Library
-------
+- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
+
- Issue #14984: On POSIX systems, when netrc is called without a filename
argument (and therefore is reading the user's $HOME/.netrc file), it now
enforces the same security rules as typical ftp clients: the .netrc file must