diff options
author | Ned Deily <nad@acm.org> | 2014-07-13 05:06:26 (GMT) |
---|---|---|
committer | Ned Deily <nad@acm.org> | 2014-07-13 05:06:26 (GMT) |
commit | 915a30fb0db8d4fc09cdf2f91db103edb5ad2cef (patch) | |
tree | ee9db54b270845dfcc1d469a3bd79be415f30429 | |
parent | 314dc126ce45a5e1369b408645e5da480a05bc9d (diff) | |
download | cpython-915a30fb0db8d4fc09cdf2f91db103edb5ad2cef.zip cpython-915a30fb0db8d4fc09cdf2f91db103edb5ad2cef.tar.gz cpython-915a30fb0db8d4fc09cdf2f91db103edb5ad2cef.tar.bz2 |
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
-rw-r--r-- | Lib/http/server.py | 10 | ||||
-rw-r--r-- | Lib/test/test_httpservers.py | 16 | ||||
-rw-r--r-- | Misc/ACKS | 1 | ||||
-rw-r--r-- | Misc/NEWS | 3 |
4 files changed, 25 insertions, 5 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index 1f4d1bb..b0548cf 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -969,16 +969,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info - - i = rest.find('/') + path = dir + '/' + rest + i = path.find('/', len(dir)+1) while i >= 0: - nextdir = rest[:i] - nextrest = rest[i+1:] + nextdir = path[:i] + nextrest = path[i+1:] scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest - i = rest.find('/') + i = path.find('/', len(dir)+1) else: break diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index bed55e8..7d64318 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -321,10 +321,13 @@ class CGIHTTPServerTestCase(BaseTestCase): self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin') + self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir') os.mkdir(self.cgi_dir) + os.mkdir(self.cgi_child_dir) self.nocgi_path = None self.file1_path = None self.file2_path = None + self.file3_path = None # The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -358,6 +361,11 @@ class CGIHTTPServerTestCase(BaseTestCase): file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777) + self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py') + with open(self.file3_path, 'w', encoding='utf-8') as file3: + file3.write(cgi_file1 % self.pythonexe) + os.chmod(self.file3_path, 0o777) + os.chdir(self.parent_dir) def tearDown(self): @@ -371,6 +379,9 @@ class CGIHTTPServerTestCase(BaseTestCase): os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path) + if self.file3_path: + os.remove(self.file3_path) + os.rmdir(self.cgi_child_dir) os.rmdir(self.cgi_dir) os.rmdir(self.parent_dir) finally: @@ -466,6 +477,11 @@ class CGIHTTPServerTestCase(BaseTestCase): self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status)) + def test_nested_cgi_path_issue21323(self): + res = self.request('/cgi-bin/child-dir/file3.py') + self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): @@ -164,6 +164,7 @@ Alastair Burt Tarn Weisner Burton Lee Busby Ralph Butler +Zach Byrne Jp Calderone Arnaud Calmettes Daniel Calvelo @@ -36,6 +36,9 @@ Library - Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, + broken by the fix for security issue #19435. Patch by Zach Byrne. + What's New in Python 3.2.5? =========================== |