mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

use the collapsed path in the run_cgi method (closes #19435)

Browse source
This commit is contained in:
Benjamin Peterson 2013-10-30 12:43:09 -04:00
parent 505be2146f
commit 04e9de40f3
3 changed files with 16 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Lib/http/server.py
View file

@ -926,18 +926,17 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
def run_cgi(self): def run_cgi(self):
"""Execute a CGI script.""" """Execute a CGI script."""
path = self.path
dir, rest = self.cgi_info dir, rest = self.cgi_info
i = path.find('/', len(dir) + 1) i = rest.find('/')
while i >= 0: while i >= 0:
nextdir = path[:i] nextdir = rest[:i]
nextrest = path[i+1:] nextrest = rest[i+1:]
scriptdir = self.translate_path(nextdir) scriptdir = self.translate_path(nextdir)
if os.path.isdir(scriptdir): if os.path.isdir(scriptdir):
dir, rest = nextdir, nextrest dir, rest = nextdir, nextrest
i = path.find('/', len(dir) + 1) i = rest.find('/')
else: else:
break break

10
Lib/test/test_httpservers.py
View file

@ -388,6 +388,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
else: else:
self.pythonexe = sys.executable self.pythonexe = sys.executable
self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')
with open(self.nocgi_path, 'w') as fp:
fp.write(cgi_file1 % self.pythonexe)
os.chmod(self.nocgi_path, 0o777)
self.file1_path = os.path.join(self.cgi_dir, 'file1.py') self.file1_path = os.path.join(self.cgi_dir, 'file1.py')
with open(self.file1_path, 'w') as file1: with open(self.file1_path, 'w') as file1:
file1.write(cgi_file1 % self.pythonexe) file1.write(cgi_file1 % self.pythonexe)
@ -406,6 +411,7 @@ class CGIHTTPServerTestCase(BaseTestCase):
os.chdir(self.cwd) os.chdir(self.cwd)
if self.pythonexe != sys.executable: if self.pythonexe != sys.executable:
os.remove(self.pythonexe) os.remove(self.pythonexe)
os.remove(self.nocgi_path)
os.remove(self.file1_path) os.remove(self.file1_path)
os.remove(self.file2_path) os.remove(self.file2_path)
os.rmdir(self.cgi_dir) os.rmdir(self.cgi_dir)
@ -457,6 +463,10 @@ class CGIHTTPServerTestCase(BaseTestCase):
self.assertEqual((b'Hello World\n', 'text/html', 200), \ self.assertEqual((b'Hello World\n', 'text/html', 200), \
(res.read(), res.getheader('Content-type'), res.status)) (res.read(), res.getheader('Content-type'), res.status))
def test_issue19435(self):
res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')
self.assertEqual(res.status, 404)
def test_post(self): def test_post(self):
params = urllib.parse.urlencode( params = urllib.parse.urlencode(
{'spam' : 1, 'eggs' : 'python', 'bacon' : 123456}) {'spam' : 1, 'eggs' : 'python', 'bacon' : 123456})

2
Misc/NEWS
View file

@ -13,6 +13,8 @@ Core and Builtins
Library Library
------- -------
- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
- Issue #14984: On POSIX systems, when netrc is called without a filename - Issue #14984: On POSIX systems, when netrc is called without a filename
argument (and therefore is reading the user's $HOME/.netrc file), it now argument (and therefore is reading the user's $HOME/.netrc file), it now
enforces the same security rules as typical ftp clients: the .netrc file must enforces the same security rules as typical ftp clients: the .netrc file must