summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNed Deily <nad@acm.org>2014-07-13 05:06:26 (GMT)
committerNed Deily <nad@acm.org>2014-07-13 05:06:26 (GMT)
commit915a30fb0db8d4fc09cdf2f91db103edb5ad2cef (patch)
treeee9db54b270845dfcc1d469a3bd79be415f30429
parent314dc126ce45a5e1369b408645e5da480a05bc9d (diff)
downloadcpython-915a30fb0db8d4fc09cdf2f91db103edb5ad2cef.zip
cpython-915a30fb0db8d4fc09cdf2f91db103edb5ad2cef.tar.gz
cpython-915a30fb0db8d4fc09cdf2f91db103edb5ad2cef.tar.bz2
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
-rw-r--r--Lib/http/server.py10
-rw-r--r--Lib/test/test_httpservers.py16
-rw-r--r--Misc/ACKS1
-rw-r--r--Misc/NEWS3
4 files changed, 25 insertions, 5 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 1f4d1bb..b0548cf 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -969,16 +969,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
def run_cgi(self):
"""Execute a CGI script."""
dir, rest = self.cgi_info
-
- i = rest.find('/')
+ path = dir + '/' + rest
+ i = path.find('/', len(dir)+1)
while i >= 0:
- nextdir = rest[:i]
- nextrest = rest[i+1:]
+ nextdir = path[:i]
+ nextrest = path[i+1:]
scriptdir = self.translate_path(nextdir)
if os.path.isdir(scriptdir):
dir, rest = nextdir, nextrest
- i = rest.find('/')
+ i = path.find('/', len(dir)+1)
else:
break
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index bed55e8..7d64318 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -321,10 +321,13 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.cwd = os.getcwd()
self.parent_dir = tempfile.mkdtemp()
self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
+ self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
os.mkdir(self.cgi_dir)
+ os.mkdir(self.cgi_child_dir)
self.nocgi_path = None
self.file1_path = None
self.file2_path = None
+ self.file3_path = None
# The shebang line should be pure ASCII: use symlink if possible.
# See issue #7668.
@@ -358,6 +361,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
file2.write(cgi_file2 % self.pythonexe)
os.chmod(self.file2_path, 0o777)
+ self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
+ with open(self.file3_path, 'w', encoding='utf-8') as file3:
+ file3.write(cgi_file1 % self.pythonexe)
+ os.chmod(self.file3_path, 0o777)
+
os.chdir(self.parent_dir)
def tearDown(self):
@@ -371,6 +379,9 @@ class CGIHTTPServerTestCase(BaseTestCase):
os.remove(self.file1_path)
if self.file2_path:
os.remove(self.file2_path)
+ if self.file3_path:
+ os.remove(self.file3_path)
+ os.rmdir(self.cgi_child_dir)
os.rmdir(self.cgi_dir)
os.rmdir(self.parent_dir)
finally:
@@ -466,6 +477,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
(res.read(), res.getheader('Content-type'), res.status))
+ def test_nested_cgi_path_issue21323(self):
+ res = self.request('/cgi-bin/child-dir/file3.py')
+ self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
def __init__(self):
diff --git a/Misc/ACKS b/Misc/ACKS
index a932074..c1df480 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -164,6 +164,7 @@ Alastair Burt
Tarn Weisner Burton
Lee Busby
Ralph Butler
+Zach Byrne
Jp Calderone
Arnaud Calmettes
Daniel Calvelo
diff --git a/Misc/NEWS b/Misc/NEWS
index 6070711..12f02b3 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -36,6 +36,9 @@ Library
- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
service using certificates with many wildcards (CVE-2013-2099).
+- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
+ broken by the fix for security issue #19435. Patch by Zach Byrne.
+
What's New in Python 3.2.5?
===========================