Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,

ned-deily · ned-deily · commit 5d0d2e6ed6b6 · 2014-07-12T22:16:56.000-07:00
broken by the fix for security issue #19435. Patch by Zach Byrne.
diff --git a/Lib/http/server.py b/Lib/http/server.py
@@ -1000,16 +1000,16 @@ def is_python(self, path):
     def run_cgi(self):
         """Execute a CGI script."""
         dir, rest = self.cgi_info
-
-        i = rest.find('/')
+        path = dir + '/' + rest
+        i = path.find('/', len(dir)+1)
         while i >= 0:
-            nextdir = rest[:i]
-            nextrest = rest[i+1:]
+            nextdir = path[:i]
+            nextrest = path[i+1:]
 
             scriptdir = self.translate_path(nextdir)
             if os.path.isdir(scriptdir):
                 dir, rest = nextdir, nextrest
-                i = rest.find('/')
+                i = path.find('/', len(dir)+1)
             else:
                 break
 
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
@@ -346,10 +346,13 @@ def setUp(self):
         self.cwd = os.getcwd()
         self.parent_dir = tempfile.mkdtemp()
         self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
+        self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
         os.mkdir(self.cgi_dir)
+        os.mkdir(self.cgi_child_dir)
         self.nocgi_path = None
         self.file1_path = None
         self.file2_path = None
+        self.file3_path = None
 
         # The shebang line should be pure ASCII: use symlink if possible.
         # See issue #7668.
@@ -383,6 +386,11 @@ def setUp(self):
             file2.write(cgi_file2 % self.pythonexe)
         os.chmod(self.file2_path, 0o777)
 
+        self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
+        with open(self.file3_path, 'w', encoding='utf-8') as file3:
+            file3.write(cgi_file1 % self.pythonexe)
+        os.chmod(self.file3_path, 0o777)
+
         os.chdir(self.parent_dir)
 
     def tearDown(self):
@@ -396,6 +404,9 @@ def tearDown(self):
                 os.remove(self.file1_path)
             if self.file2_path:
                 os.remove(self.file2_path)
+            if self.file3_path:
+                os.remove(self.file3_path)
+            os.rmdir(self.cgi_child_dir)
             os.rmdir(self.cgi_dir)
             os.rmdir(self.parent_dir)
         finally:
@@ -491,6 +502,11 @@ def test_urlquote_decoding_in_cgi_check(self):
         self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
                 (res.read(), res.getheader('Content-type'), res.status))
 
+    def test_nested_cgi_path_issue21323(self):
+        res = self.request('/cgi-bin/child-dir/file3.py')
+        self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
 
 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
     def __init__(self):
diff --git a/Misc/ACKS b/Misc/ACKS
@@ -200,6 +200,7 @@ Tarn Weisner Burton
 Lee Busby
 Katherine Busch
 Ralph Butler
+Zach Byrne
 Nicolas Cadou
 Jp Calderone
 Arnaud Calmettes
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -1,4 +1,4 @@
-﻿+++++++++++
++++++++++++
 Python News
 +++++++++++
 
@@ -158,6 +158,9 @@ Library
 - Issue #21923: Prevent AttributeError in distutils.sysconfig.customize_compiler
   due to possible uninitialized _config_vars.
 
+- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
+  broken by the fix for security issue #19435.  Patch by Zach Byrne.
+
 Build
 -----
 
