From 73b8b1cdb8beb44069aad44c5358aca4904fc103 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sat, 14 Jun 2014 18:36:29 -0700 Subject: [PATCH] url unquote the path before checking if it refers to a CGI script (closes #21766) --- Lib/http/server.py | 2 +- Lib/test/test_httpservers.py | 5 +++++ Misc/NEWS | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Lib/http/server.py b/Lib/http/server.py index bcfe89473ef..1f4d1bbc11c 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -946,7 +946,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index f8198f8ae3d..bb75f785250 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -461,6 +461,11 @@ class CGIHTTPServerTestCase(BaseTestCase): (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): diff --git a/Misc/NEWS b/Misc/NEWS index e44219a9d7f..6070711b846 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 3.2.6? Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second parameter. Bug reported by Guido Vranken.