GH-5054: CGIHTTPRequestHandler.run_cgi() HTTP_ACCEPT improperly parsed (#23638)
This commit is contained in:
parent
556d97f473
commit
da3d2abe6b
|
@ -1122,12 +1122,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
|
|||
referer = self.headers.get('referer')
|
||||
if referer:
|
||||
env['HTTP_REFERER'] = referer
|
||||
accept = []
|
||||
for line in self.headers.getallmatchingheaders('accept'):
|
||||
if line[:1] in "\t\n\r ":
|
||||
accept.append(line.strip())
|
||||
else:
|
||||
accept = accept + line[7:].split(',')
|
||||
accept = self.headers.get_all('accept', ())
|
||||
env['HTTP_ACCEPT'] = ','.join(accept)
|
||||
ua = self.headers.get('user-agent')
|
||||
if ua:
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
Written by Cody A.W. Somerville <cody-somerville@ubuntu.com>,
|
||||
Josip Dzolonga, and Michael Otteneder for the 2007/08 GHOP contest.
|
||||
"""
|
||||
|
||||
from collections import OrderedDict
|
||||
from http.server import BaseHTTPRequestHandler, HTTPServer, \
|
||||
SimpleHTTPRequestHandler, CGIHTTPRequestHandler
|
||||
from http import server, HTTPStatus
|
||||
|
@ -19,7 +19,7 @@ import shutil
|
|||
import email.message
|
||||
import email.utils
|
||||
import html
|
||||
import http.client
|
||||
import http, http.client
|
||||
import urllib.parse
|
||||
import tempfile
|
||||
import time
|
||||
|
@ -588,6 +588,15 @@ print()
|
|||
print(os.environ["%s"])
|
||||
"""
|
||||
|
||||
cgi_file6 = """\
|
||||
#!%s
|
||||
import os
|
||||
|
||||
print("Content-type: text/plain")
|
||||
print()
|
||||
print(repr(os.environ))
|
||||
"""
|
||||
|
||||
|
||||
@unittest.skipIf(hasattr(os, 'geteuid') and os.geteuid() == 0,
|
||||
"This test can't be run reliably as root (issue #13308).")
|
||||
|
@ -666,6 +675,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
file5.write(cgi_file1 % self.pythonexe)
|
||||
os.chmod(self.file5_path, 0o777)
|
||||
|
||||
self.file6_path = os.path.join(self.cgi_dir, 'file6.py')
|
||||
with open(self.file6_path, 'w', encoding='utf-8') as file6:
|
||||
file6.write(cgi_file6 % self.pythonexe)
|
||||
os.chmod(self.file6_path, 0o777)
|
||||
|
||||
os.chdir(self.parent_dir)
|
||||
|
||||
def tearDown(self):
|
||||
|
@ -685,6 +699,8 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
os.remove(self.file4_path)
|
||||
if self.file5_path:
|
||||
os.remove(self.file5_path)
|
||||
if self.file6_path:
|
||||
os.remove(self.file6_path)
|
||||
os.rmdir(self.cgi_child_dir)
|
||||
os.rmdir(self.cgi_dir)
|
||||
os.rmdir(self.cgi_dir_in_sub_dir)
|
||||
|
@ -818,6 +834,23 @@ class CGIHTTPServerTestCase(BaseTestCase):
|
|||
finally:
|
||||
CGIHTTPRequestHandler.cgi_directories.remove('/sub/dir/cgi-bin')
|
||||
|
||||
def test_accept(self):
|
||||
browser_accept = \
|
||||
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
|
||||
tests = (
|
||||
((('Accept', browser_accept),), browser_accept),
|
||||
((), ''),
|
||||
# Hack case to get two values for the one header
|
||||
((('Accept', 'text/html'), ('ACCEPT', 'text/plain')),
|
||||
'text/html,text/plain'),
|
||||
)
|
||||
for headers, expected in tests:
|
||||
headers = OrderedDict(headers)
|
||||
with self.subTest(headers):
|
||||
res = self.request('/cgi-bin/file6.py', 'GET', headers=headers)
|
||||
self.assertEqual(http.HTTPStatus.OK, res.status)
|
||||
expected = f"'HTTP_ACCEPT': {expected!r}"
|
||||
self.assertIn(expected.encode('ascii'), res.read())
|
||||
|
||||
|
||||
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
CGIHTTPRequestHandler.run_cgi() HTTP_ACCEPT improperly parsed. Replace the
|
||||
special purpose getallmatchingheaders with generic get_all method and add
|
||||
relevant tests.
|
||||
|
||||
Original Patch by Martin Panter. Modified by Senthil Kumaran.
|
Loading…
Reference in New Issue