]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ce817cb)
url unquote the path before checking if it refers to a CGI script (closes #21766)
authorBenjamin Peterson <benjamin@python.org>
Sun, 15 Jun 2014 01:36:29 +0000 (18:36 -0700)
committerBenjamin Peterson <benjamin@python.org>
Sun, 15 Jun 2014 01:36:29 +0000 (18:36 -0700)
Lib/CGIHTTPServer.py patch | blob | history
Lib/test/test_httpservers.py patch | blob | history
Misc/NEWS patch | blob | history

diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py
index 50e0f7ae1951b4823ff4babb469e47be2d3f53e6..2acf913155098aeb0acfea77f033e289aa8ac0c9 100644 (file)
--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
         path begins with one of the strings in self.cgi_directories
         (and the next character is a '/' or the end of the string).
         """
-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.unquote(self.path))
         dir_sep = collapsed_path.find('/', 1)
         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
         if head in self.cgi_directories:
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index 2390c70a1d626fd24c8716efbf156bc172faca8a..6a23bb2e0df838e8ef8f37ae8909d3daa175e552 100644 (file)
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
                 (res.read(), res.getheader('Content-type'), res.status))
         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
 
 class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
     """ Test url parsing """
diff --git a/Misc/NEWS b/Misc/NEWS
index b09bd84f5ead34754b1f379217ac06aa36394478..310d2370f6a2c220a8c4ab9e31d52a48633c9c78 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -25,6 +25,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+  before checking for a CGI script at that path.
+
 - Issue #21310: Fixed possible resource leak in failed open().
 
 - Issue #21304: Backport the key derivation function hashlib.pbkdf2_hmac from
Unnamed repository; edit this file 'description' to name the repository.