diff options
author | Ned Deily <nad@acm.org> | 2014-07-13 05:12:39 (GMT) |
---|---|---|
committer | Ned Deily <nad@acm.org> | 2014-07-13 05:12:39 (GMT) |
commit | 217f4cd7ee587310587f70c28cd3b25c722275ba (patch) | |
tree | 889a13ade493f1ce40960aeb9b59c3f289951df4 | |
parent | ac4b7f705a9194d9f5392f7aa7e4f66ac3e36f8b (diff) | |
parent | 915a30fb0db8d4fc09cdf2f91db103edb5ad2cef (diff) | |
download | cpython-217f4cd7ee587310587f70c28cd3b25c722275ba.zip cpython-217f4cd7ee587310587f70c28cd3b25c722275ba.tar.gz cpython-217f4cd7ee587310587f70c28cd3b25c722275ba.tar.bz2 |
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
-rw-r--r-- | Lib/http/server.py | 10 | ||||
-rw-r--r-- | Lib/test/test_httpservers.py | 16 | ||||
-rw-r--r-- | Misc/ACKS | 1 | ||||
-rw-r--r-- | Misc/NEWS | 3 |
4 files changed, 25 insertions, 5 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index 6a56539..7d3b506 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -994,16 +994,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info - - i = rest.find('/') + path = dir + '/' + rest + i = path.find('/', len(dir)+1) while i >= 0: - nextdir = rest[:i] - nextrest = rest[i+1:] + nextdir = path[:i] + nextrest = path[i+1:] scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest - i = rest.find('/') + i = path.find('/', len(dir)+1) else: break diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index 07b9cd7..be5d8de 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -324,10 +324,13 @@ class CGIHTTPServerTestCase(BaseTestCase): self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin') + self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir') os.mkdir(self.cgi_dir) + os.mkdir(self.cgi_child_dir) self.nocgi_path = None self.file1_path = None self.file2_path = None + self.file3_path = None # The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -361,6 +364,11 @@ class CGIHTTPServerTestCase(BaseTestCase): file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777) + self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py') + with open(self.file3_path, 'w', encoding='utf-8') as file3: + file3.write(cgi_file1 % self.pythonexe) + os.chmod(self.file3_path, 0o777) + os.chdir(self.parent_dir) def tearDown(self): @@ -374,6 +382,9 @@ class CGIHTTPServerTestCase(BaseTestCase): os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path) + if self.file3_path: + os.remove(self.file3_path) + os.rmdir(self.cgi_child_dir) os.rmdir(self.cgi_dir) os.rmdir(self.parent_dir) finally: @@ -469,6 +480,11 @@ class CGIHTTPServerTestCase(BaseTestCase): self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status)) + def test_nested_cgi_path_issue21323(self): + res = self.request('/cgi-bin/child-dir/file3.py') + self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): @@ -186,6 +186,7 @@ Alastair Burt Tarn Weisner Burton Lee Busby Ralph Butler +Zach Byrne Nicolas Cadou Jp Calderone Arnaud Calmettes @@ -38,6 +38,9 @@ Library as documented. The pattern and source keyword parameters are left as deprecated aliases. +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, + broken by the fix for security issue #19435. Patch by Zach Byrne. + Tests ----- |