url unquote the path before checking if it refers to a CGI script (closes #21766)

author: Benjamin Peterson <benjamin@python.org> 2014-06-15 01:36:29 (GMT)
committer: Benjamin Peterson <benjamin@python.org> 2014-06-15 01:36:29 (GMT)
commit: 73b8b1cdb8beb44069aad44c5358aca4904fc103 (patch)
tree: 136a1f1718bb052d553422a292f72295431d422e /Misc
parent: 49991deb6ecbd2c820863d212f143f107c046a26 (diff)
download: cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.zip
cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.tar.gz
cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index e44219a..6070711 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+  before checking for a CGI script at that path.
+
 - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
   parameter. Bug reported by Guido Vranken.
author	Benjamin Peterson <benjamin@python.org>	2014-06-15 01:36:29 (GMT)
committer	Benjamin Peterson <benjamin@python.org>	2014-06-15 01:36:29 (GMT)
commit	73b8b1cdb8beb44069aad44c5358aca4904fc103 (patch)
tree	136a1f1718bb052d553422a292f72295431d422e /Misc
parent	49991deb6ecbd2c820863d212f143f107c046a26 (diff)
download	cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.zip cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.tar.gz cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.tar.bz2