Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,

broken by the fix for security issue #19435. Patch by Zach Byrne.
2025-08-31 14:07:50 +00:00 · 2014-07-12 22:06:26 -07:00 · 2014-07-12 22:06:26 -07:00 · 915a30fb0d
commit 915a30fb0d
parent 314dc126ce
4 changed files with 25 additions and 5 deletions
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -321,10 +321,13 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.cwd = os.getcwd()
        self.parent_dir = tempfile.mkdtemp()
        self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
+        self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
        os.mkdir(self.cgi_dir)
+        os.mkdir(self.cgi_child_dir)
        self.nocgi_path = None
        self.file1_path = None
        self.file2_path = None
+        self.file3_path = None

        # The shebang line should be pure ASCII: use symlink if possible.
        # See issue #7668.
@ -358,6 +361,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
            file2.write(cgi_file2 % self.pythonexe)
        os.chmod(self.file2_path, 0o777)

+        self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
+        with open(self.file3_path, 'w', encoding='utf-8') as file3:
+            file3.write(cgi_file1 % self.pythonexe)
+        os.chmod(self.file3_path, 0o777)
+
        os.chdir(self.parent_dir)

    def tearDown(self):
@ -371,6 +379,9 @@ class CGIHTTPServerTestCase(BaseTestCase):
                os.remove(self.file1_path)
            if self.file2_path:
                os.remove(self.file2_path)
+            if self.file3_path:
+                os.remove(self.file3_path)
+            os.rmdir(self.cgi_child_dir)
            os.rmdir(self.cgi_dir)
            os.rmdir(self.parent_dir)
        finally:
@ -466,6 +477,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
                (res.read(), res.getheader('Content-type'), res.status))

+    def test_nested_cgi_path_issue21323(self):
+        res = self.request('/cgi-bin/child-dir/file3.py')
+        self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+

 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
    def __init__(self):