Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ad71f0f

Browse files
benjaminpbenjaminp
committed
Merged revisions 71303 via svnmerge from
svn+ssh://[email protected]/python/trunk ........ r71303 | gregory.p.smith | 2009-04-06 01:33:26 -0500 (Mon, 06 Apr 2009) | 3 lines - Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are now collapsed within the url properly before looking in cgi_directories. ........
1 parent ef3e4c2 commit ad71f0f

2 files changed

Lines changed: 96 additions & 14 deletions

File tree

Lib/http/server.py

Lines changed: 50 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -773,6 +773,46 @@ def guess_type(self, path):
773773

774774
# Utilities for CGIHTTPRequestHandler
775775

776+
# TODO(gregory.p.smith): Move this into an appropriate library.
777+
def _url_collapse_path_split(path):
778+
"""
779+
Given a URL path, remove extra '/'s and '.' path elements and collapse
780+
any '..' references.
781+
782+
Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
783+
784+
Returns: A tuple of (head, tail) where tail is everything after the final /
785+
and head is everything before it. Head will always start with a '/' and,
786+
if it contains anything else, never have a trailing '/'.
787+
788+
Raises: IndexError if too many '..' occur within the path.
789+
"""
790+
# Similar to os.path.split(os.path.normpath(path)) but specific to URL
791+
# path semantics rather than local operating system semantics.
792+
path_parts = []
793+
for part in path.split('/'):
794+
if part == '.':
795+
path_parts.append('')
796+
else:
797+
path_parts.append(part)
798+
# Filter out blank non trailing parts before consuming the '..'.
799+
path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
800+
if path_parts:
801+
tail_part = path_parts.pop()
802+
else:
803+
tail_part = ''
804+
head_parts = []
805+
for part in path_parts:
806+
if part == '..':
807+
head_parts.pop()
808+
else:
809+
head_parts.append(part)
810+
if tail_part and tail_part == '..':
811+
head_parts.pop()
812+
tail_part = ''
813+
return ('/' + '/'.join(head_parts), tail_part)
814+
815+
776816
nobody = None
777817

778818
def nobody_uid():
@@ -839,24 +879,20 @@ def send_head(self):
839879
def is_cgi(self):
840880
"""Test whether self.path corresponds to a CGI script.
841881
842-
Return a tuple (dir, rest) if self.path requires running a
843-
CGI script, None if not. Note that rest begins with a
844-
slash if it is not empty.
882+
Returns True and updates the cgi_info attribute to the tuple
883+
(dir, rest) if self.path requires running a CGI script.
884+
Returns False otherwise.
845885
846-
The default implementation tests whether the path
847-
begins with one of the strings in the list
848-
self.cgi_directories (and the next character is a '/'
849-
or the end of the string).
886+
The default implementation tests whether the normalized url
887+
path begins with one of the strings in self.cgi_directories
888+
(and the next character is a '/' or the end of the string).
850889
851890
"""
852891

853-
path = self.path
854-
855-
for x in self.cgi_directories:
856-
i = len(x)
857-
if path[:i] == x and (not path[i:] or path[i] == '/'):
858-
self.cgi_info = path[:i], path[i+1:]
859-
return True
892+
splitpath = _url_collapse_path_split(self.path)
893+
if splitpath[0] in self.cgi_directories:
894+
self.cgi_info = splitpath
895+
return True
860896
return False
861897

862898
cgi_directories = ['/cgi-bin', '/htbin']

Lib/test/test_httpservers.py

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66

77
from http.server import BaseHTTPRequestHandler, HTTPServer, \
88
SimpleHTTPRequestHandler, CGIHTTPRequestHandler
9+
from http import server
910

1011
import os
1112
import sys
@@ -316,6 +317,45 @@ def tearDown(self):
316317
finally:
317318
BaseTestCase.tearDown(self)
318319

320+
def test_url_collapse_path_split(self):
321+
test_vectors = {
322+
'': ('/', ''),
323+
'..': IndexError,
324+
'/.//..': IndexError,
325+
'/': ('/', ''),
326+
'//': ('/', ''),
327+
'/\\': ('/', '\\'),
328+
'/.//': ('/', ''),
329+
'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
330+
'/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
331+
'a': ('/', 'a'),
332+
'/a': ('/', 'a'),
333+
'//a': ('/', 'a'),
334+
'./a': ('/', 'a'),
335+
'./C:/': ('/C:', ''),
336+
'/a/b': ('/a', 'b'),
337+
'/a/b/': ('/a/b', ''),
338+
'/a/b/c/..': ('/a/b', ''),
339+
'/a/b/c/../d': ('/a/b', 'd'),
340+
'/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
341+
'/a/b/c/../d/e/../../f': ('/a/b', 'f'),
342+
'/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
343+
'../a/b/c/../d/e/.././././..//f': IndexError,
344+
'/a/b/c/../d/e/../../../f': ('/a', 'f'),
345+
'/a/b/c/../d/e/../../../../f': ('/', 'f'),
346+
'/a/b/c/../d/e/../../../../../f': IndexError,
347+
'/a/b/c/../d/e/../../../../f/..': ('/', ''),
348+
}
349+
for path, expected in test_vectors.items():
350+
if isinstance(expected, type) and issubclass(expected, Exception):
351+
self.assertRaises(expected,
352+
server._url_collapse_path_split, path)
353+
else:
354+
actual = server._url_collapse_path_split(path)
355+
self.assertEquals(expected, actual,
356+
msg='path = %r\nGot: %r\nWanted: %r' % (
357+
path, actual, expected))
358+
319359
def test_headers_and_content(self):
320360
res = self.request('/cgi-bin/file1.py')
321361
self.assertEquals((b'Hello World\n', 'text/html', 200), \
@@ -341,6 +381,12 @@ def test_authorization(self):
341381
self.assertEquals((b'Hello World\n', 'text/html', 200), \
342382
(res.read(), res.getheader('Content-type'), res.status))
343383

384+
def test_no_leading_slash(self):
385+
# http://bugs.python.org/issue2254
386+
res = self.request('cgi-bin/file1.py')
387+
self.assertEquals((b'Hello World\n', 'text/html', 200),
388+
(res.read(), res.getheader('Content-type'), res.status))
389+
344390

345391
def test_main(verbose=None):
346392
try:

0 commit comments

Comments
 (0)