From: Benjamin Peterson Date: Sun, 15 Jun 2014 01:36:29 +0000 (-0700) Subject: url unquote the path before checking if it refers to a CGI script (closes #21766) X-Git-Tag: v3.3.6rc1~16^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=73b8b1cdb8beb44069aad44c5358aca4904fc103;p=python url unquote the path before checking if it refers to a CGI script (closes #21766) --- diff --git a/Lib/http/server.py b/Lib/http/server.py index bcfe89473e..1f4d1bbc11 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -946,7 +946,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index f8198f8ae3..bb75f78525 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -461,6 +461,11 @@ class CGIHTTPServerTestCase(BaseTestCase): (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): diff --git a/Misc/NEWS b/Misc/NEWS index e44219a9d7..6070711b84 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 3.2.6? Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second parameter. Bug reported by Guido Vranken.