Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,

broken by the fix for security issue #19435. Patch by Zach Byrne.

Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
c8937629 · Ned Deily · f2892879 · c8937629 · c8937629 · c8937629
Kaydet (Commit) c8937629 authored Tem 13, 2014 tarafından Ned Deily
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 5 deletions

CGIHTTPServer.py Lib/CGIHTTPServer.py +5 -5

test_httpservers.py Lib/test/test_httpservers.py +14 -0

ACKS Misc/ACKS +1 -0

NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
@@ -106,16 +106,16 @@ class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def run_cgi(self):
        """Execute a CGI script."""
        dir, rest = self.cgi_info
+        path = dir + '/' + rest
-        i = rest.find('/')
+        i = path.find('/', len(dir)+1)
        while i >= 0:
-            nextdir = rest[:i]
+            nextdir = path[:i]
-            nextrest = rest[i+1:]
+            nextrest = path[i+1:]
            scriptdir = self.translate_path(nextdir)
            if os.path.isdir(scriptdir):
                dir, rest = nextdir, nextrest
-                i = rest.find('/')
+                i = path.find('/', len(dir)+1)
            else:
                break

--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -386,7 +386,9 @@ class CGIHTTPServerTestCase(BaseTestCase):
        BaseTestCase.setUp(self)
        self.parent_dir = tempfile.mkdtemp()
        self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
+        self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
        os.mkdir(self.cgi_dir)
+        os.mkdir(self.cgi_child_dir)
        # The shebang line should be pure ASCII: use symlink if possible.
        # See issue #7668.
@@ -411,6 +413,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
            file2.write(cgi_file2 % self.pythonexe)
        os.chmod(self.file2_path, 0777)
+        self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
+        with open(self.file3_path, 'w') as file3:
+            file3.write(cgi_file1 % self.pythonexe)
+        os.chmod(self.file3_path, 0777)
        self.cwd = os.getcwd()
        os.chdir(self.parent_dir)
@@ -422,6 +429,8 @@ class CGIHTTPServerTestCase(BaseTestCase):
            os.remove(self.nocgi_path)
            os.remove(self.file1_path)
            os.remove(self.file2_path)
+            os.remove(self.file3_path)
+            os.rmdir(self.cgi_child_dir)
            os.rmdir(self.cgi_dir)
            os.rmdir(self.parent_dir)
        finally:
@@ -516,6 +525,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.assertEqual((b'Hello World\n', 'text/html', 200),
                (res.read(), res.getheader('Content-type'), res.status))
+    def test_nested_cgi_path_issue21323(self):
+        res = self.request('/cgi-bin/child-dir/file3.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
 class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
    """ Test url parsing """

--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -198,6 +198,7 @@ Tarn Weisner Burton
 Lee Busby
 Katherine Busch
 Ralph Butler
+Zach Byrne
 Nicolas Cadou
 Jp Calderone
 Arnaud Calmettes

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -25,6 +25,9 @@ Library
 - Issue #21923: Prevent AttributeError in distutils.sysconfig.customize_compiler
  due to possible uninitialized _config_vars.
+- Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,
+  broken by the fix for security issue #19435.  Patch by Zach Byrne.
 What's New in Python 2.7.8?
 ===========================