diff options
| -rw-r--r-- | Lib/http/server.py | 2 | ||||
| -rw-r--r-- | Lib/test/test_httpservers.py | 5 | ||||
| -rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 9 insertions, 1 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index 6ce6bda..c98df19 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index 15694af..f30ad67 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase): (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): @@ -26,6 +26,9 @@ Library run_forever() and run_until_complete() methods of asyncio.BaseEventLoop now raise an exception if the event loop was closed. +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Issue #21310: Fixed possible resource leak in failed open(). - Issue #21677: Fixed chaining nonnormalized exceptions in io close() methods. |