url unquote the path before checking if it refers to a CGI script (closes #21766)

diff --git a/Lib/http/server.py b/Lib/http/server.py
index bcfe89473efdecaa7e8e0471bb2555caa58d7487..1f4d1bbc11c7327365c84371c99691a614240cb0 100644 (file)
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -946,7 +946,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
         (and the next character is a '/' or the end of the string).
 
         """
-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
         dir_sep = collapsed_path.find('/', 1)
         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
         if head in self.cgi_directories:

diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index f8198f8ae3dc06b3323802e6335ab6595f6a4f56..bb75f7852503d25b71d9ad71521af1c2f71460f0 100644 (file)
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -461,6 +461,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
                 (res.read(), res.getheader('Content-type'), res.status))
         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
 
 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
     def __init__(self):

diff --git a/Misc/NEWS b/Misc/NEWS
index e44219a9d7f428ef7c1fa0825a87b24cc256f7b0..6070711b84624b27b6f9bb451c152a191723cde2 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+  before checking for a CGI script at that path.
+
 - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
   parameter. Bug reported by Guido Vranken.