cpython: e4fe8fcaef0d (original) (raw)

Mercurial > cpython

changeset 86775:e4fe8fcaef0d 2.7

use the collapsed path in the run_cgi method (closes #19435) [#19435]

Benjamin Peterson benjamin@python.org
date	Wed, 30 Oct 2013 12:43:09 -0400
parents	bcbe4099206f
children	dd12639b82bf 2d02b7a97e0b
files	Lib/CGIHTTPServer.py Lib/test/test_httpservers.py Misc/NEWS
diffstat	3 files changed, 19 insertions(+), 5 deletions(-)[+] [-] Lib/CGIHTTPServer.py 9 Lib/test/test_httpservers.py 10 Misc/NEWS 5

line wrap: on

line diff

--- a/Lib/CGIHTTPServer.py +++ b/Lib/CGIHTTPServer.py @@ -105,18 +105,17 @@ class CGIHTTPRequestHandler(SimpleHTTPSe def run_cgi(self): """Execute a CGI script."""

   path = self.path[](#l1.7)
   dir, rest = self.cgi_info[](#l1.8)

   i = path.find('/', len(dir) + 1)[](#l1.10)

   i = rest.find('/')[](#l1.11)
   while i >= 0:[](#l1.12)

```
       nextdir = path[:i][](#l1.13)
```
```
       nextrest = path[i+1:][](#l1.14)
```

```
       nextdir = rest[:i][](#l1.15)
```
```
       nextrest = rest[i+1:][](#l1.16)
```

scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest

           i = path.find('/', len(dir) + 1)[](#l1.21)

           i = rest.find('/')[](#l1.22)
       else:[](#l1.23)
           break[](#l1.24)

--- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -396,6 +396,11 @@ class CGIHTTPServerTestCase(BaseTestCase else: self.pythonexe = sys.executable

   self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')[](#l2.7)

   with open(self.nocgi_path, 'w') as fp:[](#l2.8)

       fp.write(cgi_file1 % self.pythonexe)[](#l2.9)

   os.chmod(self.nocgi_path, 0777)[](#l2.10)

+ self.file1_path = os.path.join(self.cgi_dir, 'file1.py') with open(self.file1_path, 'w') as file1: file1.write(cgi_file1 % self.pythonexe) @@ -414,6 +419,7 @@ class CGIHTTPServerTestCase(BaseTestCase os.chdir(self.cwd) if self.pythonexe != sys.executable: os.remove(self.pythonexe)

       os.remove(self.nocgi_path)[](#l2.19)
       os.remove(self.file1_path)[](#l2.20)
       os.remove(self.file2_path)[](#l2.21)
       os.rmdir(self.cgi_dir)[](#l2.22)

@@ -468,6 +474,10 @@ class CGIHTTPServerTestCase(BaseTestCase self.assertEqual(('Hello World\n', 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status))

def test_issue19435(self):

   res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')[](#l2.28)

   self.assertEqual(res.status, 404)[](#l2.29)

+ def test_post(self): params = urllib.urlencode({'spam' : 1, 'eggs' : 'python', 'bacon' : 123456}) headers = {'Content-type' : 'application/x-www-form-urlencoded'}

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -6,6 +6,11 @@ Whats' New in Python 2.7.6? Release date: 2013-11-02 +Library +------- + +- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler. + IDLE ----