use the collapsed path in the run_cgi method (closes #19435)

author: Benjamin Peterson <benjamin@python.org> 2013-10-30 16:43:09 (GMT)
committer: Benjamin Peterson <benjamin@python.org> 2013-10-30 16:43:09 (GMT)
commit: 04e9de40f380b2695f955d68f2721d57cecbf858 (patch)
tree: 24b72df52cccd33d948e41f08642e9aea80ab51e /Misc
parent: 505be2146fcee88b71899136a808173f588f9628 (diff)
download: cpython-04e9de40f380b2695f955d68f2721d57cecbf858.zip
cpython-04e9de40f380b2695f955d68f2721d57cecbf858.tar.gz
cpython-04e9de40f380b2695f955d68f2721d57cecbf858.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 89ee27d..d3f8b2f 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
+
 - Issue #14984: On POSIX systems, when netrc is called without a filename
   argument (and therefore is reading the user's $HOME/.netrc file), it now
   enforces the same security rules as typical ftp clients: the .netrc file must
author	Benjamin Peterson <benjamin@python.org>	2013-10-30 16:43:09 (GMT)
committer	Benjamin Peterson <benjamin@python.org>	2013-10-30 16:43:09 (GMT)
commit	04e9de40f380b2695f955d68f2721d57cecbf858 (patch)
tree	24b72df52cccd33d948e41f08642e9aea80ab51e /Misc
parent	505be2146fcee88b71899136a808173f588f9628 (diff)
download	cpython-04e9de40f380b2695f955d68f2721d57cecbf858.zip cpython-04e9de40f380b2695f955d68f2721d57cecbf858.tar.gz cpython-04e9de40f380b2695f955d68f2721d57cecbf858.tar.bz2