From 6ea9d69d9e51e95b31fa32076b73c5a6c1276dd4 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Wed, 13 Sep 2023 15:21:22 -0700 Subject: [PATCH 1/8] Deprecate `http.server.CGIHTTPRequestHandler`. --- Doc/library/http.server.rst | 11 +++++++++++ Lib/http/server.py | 18 ++++++++++++------ Lib/test/test_httpservers.py | 12 +++++++++++- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index ae75e6dc5fdcf3..0f51bd66aa1fb8 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -502,11 +502,22 @@ following command runs an HTTP/1.1 conformant server:: Note that CGI scripts will be run with UID of user nobody, for security reasons. Problems with the CGI script will be translated to error 403. + .. deprecated-removed:: 3.13 3.15 + :class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not been + considered a good way to do things for well over a decade, this code has + been unmaintained for a while now and sees very little practical use. + Retaining it could lead to further + :ref:`security considerations `. + :class:`CGIHTTPRequestHandler` can be enabled in the command line by passing the ``--cgi`` option:: python -m http.server --cgi + .. deprecated-removed:: 3.13 3.15 + :mod:`http.server` command line ``--cgi`` support is being removed because + :class:`CGIHTTPRequestHandler` is being removed. + .. _http.server-security: Security Considerations diff --git a/Lib/http/server.py b/Lib/http/server.py index ca6240d9a921e6..1fc8bdd03313cc 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -2,18 +2,18 @@ Note: BaseHTTPRequestHandler doesn't implement any HTTP request; see SimpleHTTPRequestHandler for simple implementations of GET, HEAD and POST, -and CGIHTTPRequestHandler for CGI scripts. +and (deprecated) CGIHTTPRequestHandler for CGI scripts. -It does, however, optionally implement HTTP/1.1 persistent connections, -as of version 0.3. +It does, however, optionally implement HTTP/1.1 persistent connections. Notes on CGIHTTPRequestHandler ------------------------------ -This class implements GET and POST requests to cgi-bin scripts. +This class deprecated. It implements GET and POST requests to cgi-bin scripts. -If the os.fork() function is not present (e.g. on Windows), -subprocess.Popen() is used as a fallback, with slightly altered semantics. +If the os.fork() function is not present (Windows), subprocess.Popen() is used, +with slightly altered but never documented semantics. Use from a threaded +processes is likely to trigger a warning at os.fork() time. In all cases, the implementation is intentionally naive -- all requests are executed synchronously. @@ -986,6 +986,12 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): """ + def __init__(self, *args, **kwargs): + import warnings + warnings._deprecated("http.server.CGIHTTPRequestHandler", + remove=(3, 15)) + super().__init__(*args, **kwargs) + # Determine platform specifics have_fork = hasattr(os, 'fork') diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index cfd8a101dcc1c1..9fa6ecf9c08e27 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -699,11 +699,20 @@ def test_html_escape_filename(self): "This test can't be run reliably as root (issue #13308).") class CGIHTTPServerTestCase(BaseTestCase): class request_handler(NoLogRequestHandler, CGIHTTPRequestHandler): - pass + _test_case_self = None # populated by each setUp() method call. + + def __init__(self, *args, **kwargs): + with self._test_case_self.assertWarnsRegex( + DeprecationWarning, + r'http\.server\.CGIHTTPRequestHandler'): + # This context also happens to catch and silence the + # threading DeprecationWarning from os.fork(). + super().__init__(*args, **kwargs) linesep = os.linesep.encode('ascii') def setUp(self): + self.request_handler._test_case_self = self # practical, but yuck. BaseTestCase.setUp(self) self.cwd = os.getcwd() self.parent_dir = tempfile.mkdtemp() @@ -780,6 +789,7 @@ def setUp(self): os.chdir(self.parent_dir) def tearDown(self): + self.request_handler._test_case_self = None try: os.chdir(self.cwd) if self._pythonexe_symlink: From fd3dbe52af4621310ccc4066e8950eb131f106d7 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Fri, 15 Sep 2023 12:20:44 -0700 Subject: [PATCH 2/8] satisfy older sphinx? --- .../Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst diff --git a/Misc/NEWS.d/next/Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst b/Misc/NEWS.d/next/Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst new file mode 100644 index 00000000000000..bf1308498a8eb0 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst @@ -0,0 +1,3 @@ +:class:`http.server.CGIHTTPRequestHandler` has been deprecated for removal +in 3.15. Its design is old and the web world has long since moved beyond +CGI. From 24ebc8052cf515f9f2ca95d07c07a4fd99cb8de5 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Fri, 15 Sep 2023 12:45:01 -0700 Subject: [PATCH 3/8] appease Older Sphinx? --- Doc/library/http.server.rst | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 0f51bd66aa1fb8..608469c6ad6fa9 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -503,11 +503,12 @@ following command runs an HTTP/1.1 conformant server:: reasons. Problems with the CGI script will be translated to error 403. .. deprecated-removed:: 3.13 3.15 - :class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not been - considered a good way to do things for well over a decade, this code has - been unmaintained for a while now and sees very little practical use. - Retaining it could lead to further - :ref:`security considerations `. + + :class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not + been considered a good way to do things for well over a decade, this code + has been unmaintained for a while now and sees very little practical use. + Retaining it could lead to further :ref:`security considerations + `. :class:`CGIHTTPRequestHandler` can be enabled in the command line by passing the ``--cgi`` option:: @@ -515,8 +516,9 @@ the ``--cgi`` option:: python -m http.server --cgi .. deprecated-removed:: 3.13 3.15 - :mod:`http.server` command line ``--cgi`` support is being removed because - :class:`CGIHTTPRequestHandler` is being removed. + + :mod:`http.server` command line ``--cgi`` support is being removed + because :class:`CGIHTTPRequestHandler` is being removed. .. _http.server-security: From d1f0c73e35a82dfc5310f26e5fe1f6c87f549891 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 15 Sep 2023 12:49:55 -0700 Subject: [PATCH 4/8] docstring fixup. Co-authored-by: Jelle Zijlstra --- Lib/http/server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/http/server.py b/Lib/http/server.py index 1fc8bdd03313cc..17b3bbe583abde 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -13,7 +13,7 @@ If the os.fork() function is not present (Windows), subprocess.Popen() is used, with slightly altered but never documented semantics. Use from a threaded -processes is likely to trigger a warning at os.fork() time. +process is likely to trigger a warning at os.fork() time. In all cases, the implementation is intentionally naive -- all requests are executed synchronously. From 3e3a5d3da1255767384ee6962bceece05991b754 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 15 Sep 2023 12:50:32 -0700 Subject: [PATCH 5/8] docstring typo fixup Co-authored-by: Jelle Zijlstra --- Lib/http/server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/http/server.py b/Lib/http/server.py index 17b3bbe583abde..ee7a9b6aa55b88 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -9,7 +9,7 @@ Notes on CGIHTTPRequestHandler ------------------------------ -This class deprecated. It implements GET and POST requests to cgi-bin scripts. +This class is deprecated. It implements GET and POST requests to cgi-bin scripts. If the os.fork() function is not present (Windows), subprocess.Popen() is used, with slightly altered but never documented semantics. Use from a threaded From e1e9b22f42ad212830a6318a6c27b21c32b6b664 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 15 Sep 2023 12:50:45 -0700 Subject: [PATCH 6/8] Update Doc/library/http.server.rst Co-authored-by: Jelle Zijlstra --- Doc/library/http.server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 608469c6ad6fa9..1cbb2035efa661 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -505,7 +505,7 @@ following command runs an HTTP/1.1 conformant server:: .. deprecated-removed:: 3.13 3.15 :class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not - been considered a good way to do things for well over a decade, this code + been considered a good way to do things for well over a decade. This code has been unmaintained for a while now and sees very little practical use. Retaining it could lead to further :ref:`security considerations `. From 0c44758f0d9c800b3a4dd043bf01c2ea5953e169 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 15 Sep 2023 13:23:57 -0700 Subject: [PATCH 7/8] unindent for older sphinx Co-authored-by: Jelle Zijlstra --- Doc/library/http.server.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 1cbb2035efa661..efe87497b371d0 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -515,10 +515,10 @@ the ``--cgi`` option:: python -m http.server --cgi - .. deprecated-removed:: 3.13 3.15 +.. deprecated-removed:: 3.13 3.15 - :mod:`http.server` command line ``--cgi`` support is being removed - because :class:`CGIHTTPRequestHandler` is being removed. + :mod:`http.server` command line ``--cgi`` support is being removed + because :class:`CGIHTTPRequestHandler` is being removed. .. _http.server-security: From 7cd0b6fd87f17d6a4dc6215e0e8575f6cf1a528f Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Fri, 15 Sep 2023 13:43:57 -0700 Subject: [PATCH 8/8] what's new entries. --- Doc/whatsnew/3.13.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Doc/whatsnew/3.13.rst b/Doc/whatsnew/3.13.rst index c18e15e0448f05..43d06b886e59e4 100644 --- a/Doc/whatsnew/3.13.rst +++ b/Doc/whatsnew/3.13.rst @@ -248,6 +248,13 @@ Deprecated practice. (Contributed by Victor Stinner in :gh:`106535`.) +* :mod:`http.server`: :class:`http.server.CGIHTTPRequestHandler` now emits a + :exc:`DeprecationWarning` as it will be removed in 3.15. Process based CGI + http servers have been out of favor for a very long time. This code was + outdated, unmaintained, and rarely used. It has a high potential for both + security and functionality bugs. This includes removal of the ``--cgi`` + flag to the ``python -m http.server`` command line in 3.15. + * :mod:`typing`: Creating a :class:`typing.NamedTuple` class using keyword arguments to denote the fields (``NT = NamedTuple("NT", x=int, y=int)``) is deprecated, and will be disallowed in Python 3.15. Use the class-based syntax or the functional @@ -414,6 +421,11 @@ Pending Removal in Python 3.14 Pending Removal in Python 3.15 ------------------------------ +* :class:`http.server.CGIHTTPRequestHandler` will be removed along with its + related ``--cgi`` flag to ``python -m http.server``. It was obsolete and + rarely used. No direct replacement exists. *Anything* is better than CGI + to interface a web server with a request handler. + * :class:`typing.NamedTuple`: * The undocumented keyword argument syntax for creating NamedTuple classes