[New-bugs-announce] [issue16945] rewrite CGIHTTPRequestHandler to always use subprocess
report at bugs.python.org
Sat Jan 12 15:14:43 CET 2013
New submission from Charles-François Natali:
On Unix, CGIHTTPRequestHandler.run_cgi() uses the following code to run a CGI script:
pid = os.fork()
os.execve(scriptfile, args, env)
It's basically reimplementing subprocess.Popen, with a potential securiy issue: open file descriptors are not closed before exec, which means that the CGI script - which is run as 'nobody' on Unix to reduce its priviledges - can inherit open sockets or files (unless they're close-on-exec)...
The attached patch rewrites run_cgi() to use subprocess on all platorms.
I'm not at all familiar with CGI, so I don't guarantee it's correct, but the regression test test_httpservers passes on Linux.
It leads to cleaner and safer code, so if someone with some httpsever/CGI background could review it, it would be great.
keywords: needs review, patch
stage: patch review
title: rewrite CGIHTTPRequestHandler to always use subprocess
versions: Python 3.4
Added file: http://bugs.python.org/file28706/cgi_subprocess.diff
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce