(original) (raw)

changeset: 91666:385f4406dc26 branch: 3.4 parent: 91660:afa9c0e24a71 parent: 91665:b957f475e41e user: Ned Deily nad@acm.org date: Sat Jul 12 22:16:56 2014 -0700 files: Lib/http/server.py Lib/test/test_httpservers.py Misc/ACKS Misc/NEWS description: Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. diff -r afa9c0e24a71 -r 385f4406dc26 Lib/http/server.py --- a/Lib/http/server.py Sat Jul 12 18:24:32 2014 +0300 +++ b/Lib/http/server.py Sat Jul 12 22:16:56 2014 -0700 @@ -1000,16 +1000,16 @@ def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info - - i = rest.find('/') + path = dir + '/' + rest + i = path.find('/', len(dir)+1) while i >= 0: - nextdir = rest[:i] - nextrest = rest[i+1:] + nextdir = path[:i] + nextrest = path[i+1:] scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest - i = rest.find('/') + i = path.find('/', len(dir)+1) else: break diff -r afa9c0e24a71 -r 385f4406dc26 Lib/test/test_httpservers.py --- a/Lib/test/test_httpservers.py Sat Jul 12 18:24:32 2014 +0300 +++ b/Lib/test/test_httpservers.py Sat Jul 12 22:16:56 2014 -0700 @@ -346,10 +346,13 @@ self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin') + self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir') os.mkdir(self.cgi_dir) + os.mkdir(self.cgi_child_dir) self.nocgi_path = None self.file1_path = None self.file2_path = None + self.file3_path = None # The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -383,6 +386,11 @@ file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777) + self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py') + with open(self.file3_path, 'w', encoding='utf-8') as file3: + file3.write(cgi_file1 % self.pythonexe) + os.chmod(self.file3_path, 0o777) + os.chdir(self.parent_dir) def tearDown(self): @@ -396,6 +404,9 @@ os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path) + if self.file3_path: + os.remove(self.file3_path) + os.rmdir(self.cgi_child_dir) os.rmdir(self.cgi_dir) os.rmdir(self.parent_dir) finally: @@ -491,6 +502,11 @@ self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status)) + def test_nested_cgi_path_issue21323(self): + res = self.request('/cgi-bin/child-dir/file3.py') + self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): diff -r afa9c0e24a71 -r 385f4406dc26 Misc/ACKS --- a/Misc/ACKS Sat Jul 12 18:24:32 2014 +0300 +++ b/Misc/ACKS Sat Jul 12 22:16:56 2014 -0700 @@ -200,6 +200,7 @@ Lee Busby Katherine Busch Ralph Butler +Zach Byrne Nicolas Cadou Jp Calderone Arnaud Calmettes diff -r afa9c0e24a71 -r 385f4406dc26 Misc/NEWS --- a/Misc/NEWS Sat Jul 12 18:24:32 2014 +0300 +++ b/Misc/NEWS Sat Jul 12 22:16:56 2014 -0700 @@ -1,4 +1,4 @@ - +++++++++++ ++++++++++++ Python News +++++++++++ @@ -158,6 +158,9 @@ - Issue #21923: Prevent AttributeError in distutils.sysconfig.customize_compiler due to possible uninitialized _config_vars. +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, + broken by the fix for security issue #19435. Patch by Zach Byrne. + Build ----- /nad@acm.org