cpython: 4de94641ba3e (original) (raw)

Mercurial > cpython

changeset 91664:4de94641ba3e 3.2

Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. [#21323]

Ned Deily nad@acm.org
date	Sat, 12 Jul 2014 22:06:26 -0700
parents	77f227624cff
children	b957f475e41e e2c9e0a3ef02
files	Lib/http/server.py Lib/test/test_httpservers.py Misc/ACKS Misc/NEWS
diffstat	4 files changed, 25 insertions(+), 5 deletions(-)[+] [-] Lib/http/server.py 10 Lib/test/test_httpservers.py 16 Misc/ACKS 1 Misc/NEWS 3

line wrap: on

line diff

--- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -969,16 +969,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRe def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info -

```
   i = rest.find('/')[](#l1.8)
```

```
   path = dir + '/' + rest[](#l1.9)
```

   i = path.find('/', len(dir)+1)[](#l1.10)
   while i >= 0:[](#l1.11)

```
       nextdir = rest[:i][](#l1.12)
```
```
       nextrest = rest[i+1:][](#l1.13)
```

```
       nextdir = path[:i][](#l1.14)
```
```
       nextrest = path[i+1:][](#l1.15)
```

scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest

```
           i = rest.find('/')[](#l1.20)
```

           i = path.find('/', len(dir)+1)[](#l1.21)
       else:[](#l1.22)
           break[](#l1.23)

--- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -321,10 +321,13 @@ class CGIHTTPServerTestCase(BaseTestCase self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')

   self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')[](#l2.7)
   os.mkdir(self.cgi_dir)[](#l2.8)

   os.mkdir(self.cgi_child_dir)[](#l2.9)
   self.nocgi_path = None[](#l2.10)
   self.file1_path = None[](#l2.11)
   self.file2_path = None[](#l2.12)

```
   self.file3_path = None[](#l2.13)
```

# The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -358,6 +361,11 @@ class CGIHTTPServerTestCase(BaseTestCase file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777)

   self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')[](#l2.21)

   with open(self.file3_path, 'w', encoding='utf-8') as file3:[](#l2.22)

       file3.write(cgi_file1 % self.pythonexe)[](#l2.23)

   os.chmod(self.file3_path, 0o777)[](#l2.24)

+ os.chdir(self.parent_dir) def tearDown(self): @@ -371,6 +379,9 @@ class CGIHTTPServerTestCase(BaseTestCase os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path)

```
       if self.file3_path:[](#l2.33)
```

           os.remove(self.file3_path)[](#l2.34)

       os.rmdir(self.cgi_child_dir)[](#l2.35)
       os.rmdir(self.cgi_dir)[](#l2.36)
       os.rmdir(self.parent_dir)[](#l2.37)
   finally:[](#l2.38)

@@ -466,6 +477,11 @@ class CGIHTTPServerTestCase(BaseTestCase self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status))

def test_nested_cgi_path_issue21323(self):

   res = self.request('/cgi-bin/child-dir/file3.py')[](#l2.44)

   self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),[](#l2.45)

           (res.read(), res.getheader('Content-type'), res.status))[](#l2.46)

+ class SocketlessRequestHandler(SimpleHTTPRequestHandler): def init(self):

--- a/Misc/ACKS +++ b/Misc/ACKS @@ -164,6 +164,7 @@ Alastair Burt Tarn Weisner Burton Lee Busby Ralph Butler +Zach Byrne Jp Calderone Arnaud Calmettes Daniel Calvelo

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -36,6 +36,9 @@ Library

Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,

broken by the fix for security issue #19435. Patch by Zach Byrne. + What's New in Python 3.2.5? ===========================