Transplant of rev 544b654d000c: directory traversal attack in CGIHttpRequestHandler.

This commit is contained in:
Georg Brandl 2013-11-11 06:10:23 +01:00
parent 85b8be1ac8
commit b3acaccf27
3 changed files with 21 additions and 5 deletions

View File

@ -987,18 +987,17 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
def run_cgi(self):
"""Execute a CGI script."""
path = self.path
dir, rest = self.cgi_info
i = path.find('/', len(dir) + 1)
i = rest.find('/')
while i >= 0:
nextdir = path[:i]
nextrest = path[i+1:]
nextdir = rest[:i]
nextrest = rest[i+1:]
scriptdir = self.translate_path(nextdir)
if os.path.isdir(scriptdir):
dir, rest = nextdir, nextrest
i = path.find('/', len(dir) + 1)
i = rest.find('/')
else:
break

View File

@ -325,6 +325,7 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.parent_dir = tempfile.mkdtemp()
self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
os.mkdir(self.cgi_dir)
self.nocgi_path = None
self.file1_path = None
self.file2_path = None
@ -345,6 +346,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.tearDown()
self.skipTest("Python executable path is not encodable to utf-8")
self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')
with open(self.nocgi_path, 'w') as fp:
fp.write(cgi_file1 % self.pythonexe)
os.chmod(self.nocgi_path, 0o777)
self.file1_path = os.path.join(self.cgi_dir, 'file1.py')
with open(self.file1_path, 'w', encoding='utf-8') as file1:
file1.write(cgi_file1 % self.pythonexe)
@ -362,6 +368,8 @@ class CGIHTTPServerTestCase(BaseTestCase):
os.chdir(self.cwd)
if self.pythonexe != sys.executable:
os.remove(self.pythonexe)
if self.nocgi_path:
os.remove(self.nocgi_path)
if self.file1_path:
os.remove(self.file1_path)
if self.file2_path:
@ -418,6 +426,10 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
(res.read(), res.getheader('Content-type'), res.status))
def test_issue19435(self):
res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')
self.assertEqual(res.status, 404)
def test_post(self):
params = urllib.parse.urlencode(
{'spam' : 1, 'eggs' : 'python', 'bacon' : 123456})

View File

@ -7,6 +7,11 @@ What's New in Python 3.3.3?
*Release date: XX-Nov-2013*
Library
-------
- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
Tests
-----