merge 3.4 (#21766)

Lib/http/server.py

@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
         (and the next character is a '/' or the end of the string).
 
         """
-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
         dir_sep = collapsed_path.find('/', 1)
         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
         if head in self.cgi_directories:

Lib/test/test_httpservers.py

@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
                 (res.read(), res.getheader('Content-type'), res.status))
         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
 
 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
     def __init__(self):

Misc/NEWS

@@ -106,6 +106,9 @@ Library
   run_forever() and run_until_complete() methods of asyncio.BaseEventLoop now
   raise an exception if the event loop was closed.
 
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+  before checking for a CGI script at that path.
+
 - Issue #21310: Fixed possible resource leak in failed open().
 
 - Issue #21256: Printout of keyword args should be in deterministic order in