cpython: d367ea865ea4 (original) (raw)

Mercurial > cpython

changeset 91663:d367ea865ea4 2.7

Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. [#21323]

Ned Deily nad@acm.org
date	Sat, 12 Jul 2014 22:01:15 -0700
parents	cc8849331528
children	b6c5719e0f4e
files	Lib/CGIHTTPServer.py Lib/test/test_httpservers.py Misc/ACKS Misc/NEWS
diffstat	4 files changed, 23 insertions(+), 5 deletions(-)[+] [-] Lib/CGIHTTPServer.py 10 Lib/test/test_httpservers.py 14 Misc/ACKS 1 Misc/NEWS 3

line wrap: on

line diff

--- a/Lib/CGIHTTPServer.py +++ b/Lib/CGIHTTPServer.py @@ -106,16 +106,16 @@ class CGIHTTPRequestHandler(SimpleHTTPSe def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info -

```
   i = rest.find('/')[](#l1.8)
```

```
   path = dir + '/' + rest[](#l1.9)
```

   i = path.find('/', len(dir)+1)[](#l1.10)
   while i >= 0:[](#l1.11)

```
       nextdir = rest[:i][](#l1.12)
```
```
       nextrest = rest[i+1:][](#l1.13)
```

```
       nextdir = path[:i][](#l1.14)
```
```
       nextrest = path[i+1:][](#l1.15)
```

scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest

```
           i = rest.find('/')[](#l1.20)
```

           i = path.find('/', len(dir)+1)[](#l1.21)
       else:[](#l1.22)
           break[](#l1.23)

--- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -386,7 +386,9 @@ class CGIHTTPServerTestCase(BaseTestCase BaseTestCase.setUp(self) self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')

   self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')[](#l2.7)
   os.mkdir(self.cgi_dir)[](#l2.8)

   os.mkdir(self.cgi_child_dir)[](#l2.9)

# The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -411,6 +413,11 @@ class CGIHTTPServerTestCase(BaseTestCase file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0777)

   self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')[](#l2.17)

   with open(self.file3_path, 'w') as file3:[](#l2.18)

       file3.write(cgi_file1 % self.pythonexe)[](#l2.19)

   os.chmod(self.file3_path, 0777)[](#l2.20)

+ self.cwd = os.getcwd() os.chdir(self.parent_dir) @@ -422,6 +429,8 @@ class CGIHTTPServerTestCase(BaseTestCase os.remove(self.nocgi_path) os.remove(self.file1_path) os.remove(self.file2_path)

       os.remove(self.file3_path)[](#l2.29)

       os.rmdir(self.cgi_child_dir)[](#l2.30)
       os.rmdir(self.cgi_dir)[](#l2.31)
       os.rmdir(self.parent_dir)[](#l2.32)
   finally:[](#l2.33)

@@ -516,6 +525,11 @@ class CGIHTTPServerTestCase(BaseTestCase self.assertEqual((b'Hello World\n', 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status))

def test_nested_cgi_path_issue21323(self):

   res = self.request('/cgi-bin/child-dir/file3.py')[](#l2.39)

   self.assertEqual((b'Hello World\n', 'text/html', 200),[](#l2.40)

           (res.read(), res.getheader('Content-type'), res.status))[](#l2.41)

+ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): """ Test url parsing """

--- a/Misc/ACKS +++ b/Misc/ACKS @@ -198,6 +198,7 @@ Tarn Weisner Burton Lee Busby Katherine Busch Ralph Butler +Zach Byrne Nicolas Cadou Jp Calderone Arnaud Calmettes

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -25,6 +25,9 @@ Library

Issue #21923: Prevent AttributeError in distutils.sysconfig.customize_compiler due to possible uninitialized _config_vars. +- Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,

broken by the fix for security issue #19435. Patch by Zach Byrne. + What's New in Python 2.7.8? ===========================