merge 3.2 (#21766)

author: Benjamin Peterson <benjamin@python.org> 2014-06-15 01:40:10 (GMT)
committer: Benjamin Peterson <benjamin@python.org> 2014-06-15 01:40:10 (GMT)
commit: 6cd1954c5cff4b3722a183d13648c71b18259778 (patch)
tree: 83a581787ff6cc96456bd621f29c80b8c6d958db /Misc/NEWS
parent: 13266fb5c8e4a58c33209f8d97f86469c3245d94 (diff)
parent: 73b8b1cdb8beb44069aad44c5358aca4904fc103 (diff)
download: cpython-6cd1954c5cff4b3722a183d13648c71b18259778.zip
cpython-6cd1954c5cff4b3722a183d13648c71b18259778.tar.gz
cpython-6cd1954c5cff4b3722a183d13648c71b18259778.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index f7dd62c..31980cd 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+  before checking for a CGI script at that path.
+
 - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
   parameter. Bug reported by Guido Vranken.
author	Benjamin Peterson <benjamin@python.org>	2014-06-15 01:40:10 (GMT)
committer	Benjamin Peterson <benjamin@python.org>	2014-06-15 01:40:10 (GMT)
commit	6cd1954c5cff4b3722a183d13648c71b18259778 (patch)
tree	83a581787ff6cc96456bd621f29c80b8c6d958db /Misc/NEWS
parent	13266fb5c8e4a58c33209f8d97f86469c3245d94 (diff)
parent	73b8b1cdb8beb44069aad44c5358aca4904fc103 (diff)
download	cpython-6cd1954c5cff4b3722a183d13648c71b18259778.zip cpython-6cd1954c5cff4b3722a183d13648c71b18259778.tar.gz cpython-6cd1954c5cff4b3722a183d13648c71b18259778.tar.bz2