cpython: 385f4406dc26 (original) (raw)

Mercurial > cpython

changeset 91666:385f4406dc26 3.4

Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. [#21323]

Ned Deily nad@acm.org
date	Sat, 12 Jul 2014 22:16:56 -0700
parents	afa9c0e24a71(current diff)b957f475e41e(diff)
children	22e5a85ba840 407110796b16
files	Lib/http/server.py Lib/test/test_httpservers.py Misc/ACKS Misc/NEWS
diffstat	4 files changed, 26 insertions(+), 6 deletions(-)[+] [-] Lib/http/server.py 10 Lib/test/test_httpservers.py 16 Misc/ACKS 1 Misc/NEWS 5

line wrap: on

line diff

--- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -1000,16 +1000,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRe def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info -

```
   i = rest.find('/')[](#l1.8)
```

```
   path = dir + '/' + rest[](#l1.9)
```

   i = path.find('/', len(dir)+1)[](#l1.10)
   while i >= 0:[](#l1.11)

```
       nextdir = rest[:i][](#l1.12)
```
```
       nextrest = rest[i+1:][](#l1.13)
```

```
       nextdir = path[:i][](#l1.14)
```
```
       nextrest = path[i+1:][](#l1.15)
```

scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest

```
           i = rest.find('/')[](#l1.20)
```

           i = path.find('/', len(dir)+1)[](#l1.21)
       else:[](#l1.22)
           break[](#l1.23)

--- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -346,10 +346,13 @@ class CGIHTTPServerTestCase(BaseTestCase self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')

   self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')[](#l2.7)
   os.mkdir(self.cgi_dir)[](#l2.8)

   os.mkdir(self.cgi_child_dir)[](#l2.9)
   self.nocgi_path = None[](#l2.10)
   self.file1_path = None[](#l2.11)
   self.file2_path = None[](#l2.12)

```
   self.file3_path = None[](#l2.13)
```

# The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -383,6 +386,11 @@ class CGIHTTPServerTestCase(BaseTestCase file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777)

   self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')[](#l2.21)

   with open(self.file3_path, 'w', encoding='utf-8') as file3:[](#l2.22)

       file3.write(cgi_file1 % self.pythonexe)[](#l2.23)

   os.chmod(self.file3_path, 0o777)[](#l2.24)

+ os.chdir(self.parent_dir) def tearDown(self): @@ -396,6 +404,9 @@ class CGIHTTPServerTestCase(BaseTestCase os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path)

```
       if self.file3_path:[](#l2.33)
```

           os.remove(self.file3_path)[](#l2.34)

       os.rmdir(self.cgi_child_dir)[](#l2.35)
       os.rmdir(self.cgi_dir)[](#l2.36)
       os.rmdir(self.parent_dir)[](#l2.37)
   finally:[](#l2.38)

@@ -491,6 +502,11 @@ class CGIHTTPServerTestCase(BaseTestCase self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status))

def test_nested_cgi_path_issue21323(self):

   res = self.request('/cgi-bin/child-dir/file3.py')[](#l2.44)

   self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),[](#l2.45)

           (res.read(), res.getheader('Content-type'), res.status))[](#l2.46)

+ class SocketlessRequestHandler(SimpleHTTPRequestHandler): def init(self):

--- a/Misc/ACKS +++ b/Misc/ACKS @@ -200,6 +200,7 @@ Tarn Weisner Burton Lee Busby Katherine Busch Ralph Butler +Zach Byrne Nicolas Cadou Jp Calderone Arnaud Calmettes

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -1,4 +1,4 @@ -+++++++++++ ++++++++++++ Python News +++++++++++ @@ -158,6 +158,9 @@ Library

Issue #21923: Prevent AttributeError in distutils.sysconfig.customize_compiler due to possible uninitialized _config_vars. +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,

broken by the fix for security issue #19435. Patch by Zach Byrne. + Build -----