cpython: b957f475e41e (original) (raw)
Mercurial > cpython
changeset 91665:b957f475e41e 3.3
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. [#21323]
| Ned Deily nad@acm.org | |
|---|---|
| date | Sat, 12 Jul 2014 22:12:39 -0700 |
| parents | cf156cfb12e7(current diff)4de94641ba3e(diff) |
| children | 385f4406dc26 a36d469f31c1 |
| files | Lib/http/server.py Lib/test/test_httpservers.py Misc/ACKS Misc/NEWS |
| diffstat | 4 files changed, 25 insertions(+), 5 deletions(-)[+] [-] Lib/http/server.py 10 Lib/test/test_httpservers.py 16 Misc/ACKS 1 Misc/NEWS 3 |
line wrap: on
line diff
--- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -994,16 +994,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRe def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info -
i = rest.find('/')[](#l1.8)
path = dir + '/' + rest[](#l1.9)i = path.find('/', len(dir)+1)[](#l1.10) while i >= 0:[](#l1.11)
nextdir = rest[:i][](#l1.12)nextrest = rest[i+1:][](#l1.13)
nextdir = path[:i][](#l1.14)nextrest = path[i+1:][](#l1.15)
scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest
i = rest.find('/')[](#l1.20)
i = path.find('/', len(dir)+1)[](#l1.21) else:[](#l1.22) break[](#l1.23)
--- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -324,10 +324,13 @@ class CGIHTTPServerTestCase(BaseTestCase self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')[](#l2.7) os.mkdir(self.cgi_dir)[](#l2.8)os.mkdir(self.cgi_child_dir)[](#l2.9) self.nocgi_path = None[](#l2.10) self.file1_path = None[](#l2.11) self.file2_path = None[](#l2.12)self.file3_path = None[](#l2.13)
# The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -361,6 +364,11 @@ class CGIHTTPServerTestCase(BaseTestCase file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777)
self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')[](#l2.21)with open(self.file3_path, 'w', encoding='utf-8') as file3:[](#l2.22)file3.write(cgi_file1 % self.pythonexe)[](#l2.23)os.chmod(self.file3_path, 0o777)[](#l2.24)
+ os.chdir(self.parent_dir) def tearDown(self): @@ -374,6 +382,9 @@ class CGIHTTPServerTestCase(BaseTestCase os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path)
if self.file3_path:[](#l2.33)os.remove(self.file3_path)[](#l2.34)os.rmdir(self.cgi_child_dir)[](#l2.35) os.rmdir(self.cgi_dir)[](#l2.36) os.rmdir(self.parent_dir)[](#l2.37) finally:[](#l2.38)
@@ -469,6 +480,11 @@ class CGIHTTPServerTestCase(BaseTestCase self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status))
- def test_nested_cgi_path_issue21323(self):
res = self.request('/cgi-bin/child-dir/file3.py')[](#l2.44)self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),[](#l2.45)(res.read(), res.getheader('Content-type'), res.status))[](#l2.46)
+ class SocketlessRequestHandler(SimpleHTTPRequestHandler): def init(self):
--- a/Misc/ACKS +++ b/Misc/ACKS @@ -186,6 +186,7 @@ Alastair Burt Tarn Weisner Burton Lee Busby Ralph Butler +Zach Byrne Nicolas Cadou Jp Calderone Arnaud Calmettes
--- a/Misc/NEWS +++ b/Misc/NEWS @@ -38,6 +38,9 @@ Library as documented. The pattern and source keyword parameters are left as deprecated aliases. +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,