Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 35aca89

Browse files
benjaminpbenjaminp
committed
merge 3.1 (#19435)
2 parents 58bf8d2 + 04e9de4 commit 35aca89

3 files changed

Lines changed: 18 additions & 5 deletions

File tree

Lib/http/server.py

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -968,18 +968,17 @@ def is_python(self, path):
968968

969969
def run_cgi(self):
970970
"""Execute a CGI script."""
971-
path = self.path
972971
dir, rest = self.cgi_info
973972

974-
i = path.find('/', len(dir) + 1)
973+
i = rest.find('/')
975974
while i >= 0:
976-
nextdir = path[:i]
977-
nextrest = path[i+1:]
975+
nextdir = rest[:i]
976+
nextrest = rest[i+1:]
978977

979978
scriptdir = self.translate_path(nextdir)
980979
if os.path.isdir(scriptdir):
981980
dir, rest = nextdir, nextrest
982-
i = path.find('/', len(dir) + 1)
981+
i = rest.find('/')
983982
else:
984983
break
985984

Lib/test/test_httpservers.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -322,6 +322,7 @@ def setUp(self):
322322
self.parent_dir = tempfile.mkdtemp()
323323
self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
324324
os.mkdir(self.cgi_dir)
325+
self.nocgi_path = None
325326
self.file1_path = None
326327
self.file2_path = None
327328

@@ -342,6 +343,11 @@ def setUp(self):
342343
self.tearDown()
343344
self.skipTest("Python executable path is not encodable to utf-8")
344345

346+
self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')
347+
with open(self.nocgi_path, 'w') as fp:
348+
fp.write(cgi_file1 % self.pythonexe)
349+
os.chmod(self.nocgi_path, 0o777)
350+
345351
self.file1_path = os.path.join(self.cgi_dir, 'file1.py')
346352
with open(self.file1_path, 'w', encoding='utf-8') as file1:
347353
file1.write(cgi_file1 % self.pythonexe)
@@ -359,6 +365,8 @@ def tearDown(self):
359365
os.chdir(self.cwd)
360366
if self.pythonexe != sys.executable:
361367
os.remove(self.pythonexe)
368+
if self.nocgi_path:
369+
os.remove(self.nocgi_path)
362370
if self.file1_path:
363371
os.remove(self.file1_path)
364372
if self.file2_path:
@@ -415,6 +423,10 @@ def test_headers_and_content(self):
415423
self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
416424
(res.read(), res.getheader('Content-type'), res.status))
417425

426+
def test_issue19435(self):
427+
res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')
428+
self.assertEqual(res.status, 404)
429+
418430
def test_post(self):
419431
params = urllib.parse.urlencode(
420432
{'spam' : 1, 'eggs' : 'python', 'bacon' : 123456})

Misc/NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ What's New in Python 3.2.6?
1010
Library
1111
-------
1212

13+
- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
14+
1315
- Issue #14984: On POSIX systems, when netrc is called without a filename
1416
argument (and therefore is reading the user's $HOME/.netrc file), it now
1517
enforces the same security rules as typical ftp clients: the .netrc file must

0 commit comments

Comments
 (0)