use the collapsed path in the run_cgi method (closes #19435)

2013-10-30 12:43:09 -04:00 · 2013-10-30 12:43:09 -04:00 · 1ef959ac3d
parent 21376cfdee
commit 1ef959ac3d
3 changed files with 19 additions and 5 deletions
--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
@ -105,18 +105,17 @@ class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):

    def run_cgi(self):
        """Execute a CGI script."""
-        path = self.path
        dir, rest = self.cgi_info

-        i = path.find('/', len(dir) + 1)
+        i = rest.find('/')
        while i >= 0:
-            nextdir = path[:i]
-            nextrest = path[i+1:]
+            nextdir = rest[:i]
+            nextrest = rest[i+1:]

            scriptdir = self.translate_path(nextdir)
            if os.path.isdir(scriptdir):
                dir, rest = nextdir, nextrest
-                i = path.find('/', len(dir) + 1)
+                i = rest.find('/')
            else:
                break

--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -396,6 +396,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
        else:
            self.pythonexe = sys.executable

+        self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')
+        with open(self.nocgi_path, 'w') as fp:
+            fp.write(cgi_file1 % self.pythonexe)
+        os.chmod(self.nocgi_path, 0777)
+
        self.file1_path = os.path.join(self.cgi_dir, 'file1.py')
        with open(self.file1_path, 'w') as file1:
            file1.write(cgi_file1 % self.pythonexe)
@ -414,6 +419,7 @@ class CGIHTTPServerTestCase(BaseTestCase):
            os.chdir(self.cwd)
            if self.pythonexe != sys.executable:
                os.remove(self.pythonexe)
+            os.remove(self.nocgi_path)
            os.remove(self.file1_path)
            os.remove(self.file2_path)
            os.rmdir(self.cgi_dir)
@ -468,6 +474,10 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.assertEqual(('Hello World\n', 'text/html', 200),
            (res.read(), res.getheader('Content-type'), res.status))

+    def test_issue19435(self):
+        res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')
+        self.assertEqual(res.status, 404)
+
    def test_post(self):
        params = urllib.urlencode({'spam' : 1, 'eggs' : 'python', 'bacon' : 123456})
        headers = {'Content-type' : 'application/x-www-form-urlencoded'}
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -6,6 +6,11 @@ Whats' New in Python 2.7.6?

 *Release date: 2013-11-02*

+Library
+-------
+
+- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
+
 IDLE
 ----