mirror of https://github.com/python/cpython
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
This commit is contained in:
parent
314dc126ce
commit
915a30fb0d
|
@ -969,16 +969,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
|
|||
def run_cgi(self):
|
||||
"""Execute a CGI script."""
|
||||
dir, rest = self.cgi_info
|
||||
|
||||
i = rest.find('/')
|
||||
path = dir + '/' + rest
|
||||
i = path.find('/', len(dir)+1)
|
||||
while i >= 0:
|
||||
nextdir = rest[:i]
|
||||
nextrest = rest[i+1:]
|
||||
nextdir = path[:i]
|
||||
nextrest = path[i+1:]
|
||||
|
||||
scriptdir = self.translate_path(nextdir)
|
||||
if os.path.isdir(scriptdir):
|
||||
dir, rest = nextdir, nextrest
|
||||
i = rest.find('/')
|
||||
i = path.find('/', len(dir)+1)
|
||||
else:
|
||||
break
|
||||
|
||||
|
|
|
@ -321,10 +321,13 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
self.cwd = os.getcwd()
|
||||
self.parent_dir = tempfile.mkdtemp()
|
||||
self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
|
||||
self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
|
||||
os.mkdir(self.cgi_dir)
|
||||
os.mkdir(self.cgi_child_dir)
|
||||
self.nocgi_path = None
|
||||
self.file1_path = None
|
||||
self.file2_path = None
|
||||
self.file3_path = None
|
||||
|
||||
# The shebang line should be pure ASCII: use symlink if possible.
|
||||
# See issue #7668.
|
||||
|
@ -358,6 +361,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
file2.write(cgi_file2 % self.pythonexe)
|
||||
os.chmod(self.file2_path, 0o777)
|
||||
|
||||
self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
|
||||
with open(self.file3_path, 'w', encoding='utf-8') as file3:
|
||||
file3.write(cgi_file1 % self.pythonexe)
|
||||
os.chmod(self.file3_path, 0o777)
|
||||
|
||||
os.chdir(self.parent_dir)
|
||||
|
||||
def tearDown(self):
|
||||
|
@ -371,6 +379,9 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
os.remove(self.file1_path)
|
||||
if self.file2_path:
|
||||
os.remove(self.file2_path)
|
||||
if self.file3_path:
|
||||
os.remove(self.file3_path)
|
||||
os.rmdir(self.cgi_child_dir)
|
||||
os.rmdir(self.cgi_dir)
|
||||
os.rmdir(self.parent_dir)
|
||||
finally:
|
||||
|
@ -466,6 +477,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
|
||||
(res.read(), res.getheader('Content-type'), res.status))
|
||||
|
||||
def test_nested_cgi_path_issue21323(self):
|
||||
res = self.request('/cgi-bin/child-dir/file3.py')
|
||||
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
|
||||
(res.read(), res.getheader('Content-type'), res.status))
|
||||
|
||||
|
||||
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
|
||||
def __init__(self):
|
||||
|
|
|
@ -164,6 +164,7 @@ Alastair Burt
|
|||
Tarn Weisner Burton
|
||||
Lee Busby
|
||||
Ralph Butler
|
||||
Zach Byrne
|
||||
Jp Calderone
|
||||
Arnaud Calmettes
|
||||
Daniel Calvelo
|
||||
|
|
|
@ -36,6 +36,9 @@ Library
|
|||
- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
|
||||
service using certificates with many wildcards (CVE-2013-2099).
|
||||
|
||||
- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
|
||||
broken by the fix for security issue #19435. Patch by Zach Byrne.
|
||||
|
||||
|
||||
What's New in Python 3.2.5?
|
||||
===========================
|
||||
|
|
Loading…
Reference in New Issue