8000 Issue #21323: Fix http.server to again handle scripts in CGI subdirec… · python/cpython@915a30f · GitHub
[go: up one dir, main page]

Skip to content

Commit 915a30f

Browse files
committed
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
1 parent 314dc12 commit 915a30f

File tree

4 files changed

+25
-5
lines changed

4 files changed

+25
-5
lines changed

Lib/http/server.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -969,16 +969,16 @@ def is_python(self, path):
969969
def run_cgi(self):
970970
"""Execute a CGI script."""
971971
dir, rest = self.cgi_info
972-
973-
i = rest.find('/')
972+
path = dir + '/' + rest
973+
i = path.find('/', len(dir)+1)
974974
while i >= 0:
975-
nextdir = rest[:i]
976-
nextrest = rest[i+1:]
975+
nextdir = path[:i]
976+
nextrest = path[i+1:]
977977

978978
scriptdir = self.translate_path(nextdir)
979979
if os.path.isdir(scriptdir):
980980
dir, rest = nextdir, nextrest
981-
i = rest.find('/')
981+
i = path.find('/', len(dir)+1)
982982
else:
983983
break
984984

Lib/test/test_httpservers.py

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -321,10 +321,13 @@ def setUp(self):
321321
self.cwd = os.getcwd()
322322
self.parent_dir = tempfile.mkdtemp()
323323
self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
324+
self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
324325
os.mkdir(self.cgi_dir)
326+
os.mkdir(self.cgi_child_dir)
325327
self.nocgi_path = None
326328
self.file1_path = None
327329
self.file2_path = None
330+
self.file3_path = None
328331

329332
# The shebang line should be pure ASCII: use symlink if possible.
330333
# See issue #7668.
@@ -358,6 +361,11 @@ def setUp(self):
358361
file2.write(cgi_file2 % self.pythonexe)
359362
os.chmod(self.file2_path, 0o777)
360363

364+
self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
365+
with open(self.file3_path, 'w', encoding='utf-8') as file3:
366+
file3.write(cgi_file1 % self.pythonexe)
367+
os.chmod(self.file3_path, 0o777)
368+
361369
os.chdir(self.parent_dir)
362370

363371
def tearDown(self):
@@ -371,6 +379,9 @@ def tearDown(self):
371379
os.remove(self.file1_path)
372380
if self.file2_path:
373381
os.remove(self.file2_path)
382+
if self.file3_path:
383+
os.remove(self.file3_path)
384+
os.rmdir(self.cgi_child_dir)
374385
os.rmdir(self.cgi_dir)
375386
os.rmdir(self.parent_dir)
376387
finally:
@@ -466,6 +477,11 @@ def test_urlquote_decoding_in_cgi_check(self):
466477
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
467478
(res.read(), res.getheader('Content-type'), res.status))
468479

480+
def test_nested_cgi_path_issue21323(self):
481+
res = self.request('/cgi-bin/child-dir/file3.py')
482+
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
483+
(res.read(), res.getheader('Content-type'), res.status))
484+
469485

470486
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
471487
def __init__(self):

Misc/ACKS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,7 @@ Alastair Burt
164164
Tarn Weisner Burton
165165
Lee Busby
166166
Ralph Butler
167+
Zach Byrne
167168
Jp Calderone
168169
Arnaud Calmettes
169170
Daniel Calvelo

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@ Library
3636
- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
3737
service using certificates with many wildcards (CVE-2013-2099).
3838

39+
- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
40+
broken by the fix for security issue #19435. Patch by Zach Byrne.
41+
3942

4043
What's New in Python 3.2.5?
4144
===========================

0 commit comments

Comments
 (0)
0