From 915a30fb0db8d4fc09cdf2f91db103edb5ad2cef Mon Sep 17 00:00:00 2001 From: Ned Deily Date: Sat, 12 Jul 2014 22:06:26 -0700 Subject: [PATCH] Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. --- Lib/http/server.py | 10 +++++----- Lib/test/test_httpservers.py | 16 ++++++++++++++++ Misc/ACKS | 1 + Misc/NEWS | 3 +++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/Lib/http/server.py b/Lib/http/server.py index 1f4d1bbc11c..b0548cfd8ce 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -969,16 +969,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): def run_cgi(self): """Execute a CGI script.""" dir, rest = self.cgi_info - - i = rest.find('/') + path = dir + '/' + rest + i = path.find('/', len(dir)+1) while i >= 0: - nextdir = rest[:i] - nextrest = rest[i+1:] + nextdir = path[:i] + nextrest = path[i+1:] scriptdir = self.translate_path(nextdir) if os.path.isdir(scriptdir): dir, rest = nextdir, nextrest - i = rest.find('/') + i = path.find('/', len(dir)+1) else: break diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index bed55e81536..7d64318f49a 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -321,10 +321,13 @@ class CGIHTTPServerTestCase(BaseTestCase): self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin') + self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir') os.mkdir(self.cgi_dir) + os.mkdir(self.cgi_child_dir) self.nocgi_path = None self.file1_path = None self.file2_path = None + self.file3_path = None # The shebang line should be pure ASCII: use symlink if possible. # See issue #7668. @@ -358,6 +361,11 @@ class CGIHTTPServerTestCase(BaseTestCase): file2.write(cgi_file2 % self.pythonexe) os.chmod(self.file2_path, 0o777) + self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py') + with open(self.file3_path, 'w', encoding='utf-8') as file3: + file3.write(cgi_file1 % self.pythonexe) + os.chmod(self.file3_path, 0o777) + os.chdir(self.parent_dir) def tearDown(self): @@ -371,6 +379,9 @@ class CGIHTTPServerTestCase(BaseTestCase): os.remove(self.file1_path) if self.file2_path: os.remove(self.file2_path) + if self.file3_path: + os.remove(self.file3_path) + os.rmdir(self.cgi_child_dir) os.rmdir(self.cgi_dir) os.rmdir(self.parent_dir) finally: @@ -466,6 +477,11 @@ class CGIHTTPServerTestCase(BaseTestCase): self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), (res.read(), res.getheader('Content-type'), res.status)) + def test_nested_cgi_path_issue21323(self): + res = self.request('/cgi-bin/child-dir/file3.py') + self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): diff --git a/Misc/ACKS b/Misc/ACKS index a9320749754..c1df48054f5 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -164,6 +164,7 @@ Alastair Burt Tarn Weisner Burton Lee Busby Ralph Butler +Zach Byrne Jp Calderone Arnaud Calmettes Daniel Calvelo diff --git a/Misc/NEWS b/Misc/NEWS index 6070711b846..12f02b3df7d 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -36,6 +36,9 @@ Library - Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). +- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, + broken by the fix for security issue #19435. Patch by Zach Byrne. + What's New in Python 3.2.5? ===========================