[Python-checkins] cpython (merge 3.2 -> 3.3): merge 3.2 (#21766)
benjamin.peterson
python-checkins at python.org
Sun Jun 15 03:41:59 CEST 2014
http://hg.python.org/cpython/rev/5676797f3a3e
changeset: 91179:5676797f3a3e
branch: 3.3
parent: 90675:1a3f2d0ced35
parent: 91178:e47422855841
user: Benjamin Peterson <benjamin at python.org>
date: Sat Jun 14 18:40:10 2014 -0700
summary:
merge 3.2 (#21766)
files:
Lib/http/server.py | 2 +-
Lib/test/test_httpservers.py | 5 +++++
Misc/NEWS | 3 +++
3 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/Lib/http/server.py b/Lib/http/server.py
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -971,7 +971,7 @@
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(self.path)
+ collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -464,6 +464,11 @@
(res.read(), res.getheader('Content-type'), res.status))
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ def test_urlquote_decoding_in_cgi_check(self):
+ res = self.request('/cgi-bin%2ffile1.py')
+ self.assertEqual((b'Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
def __init__(self):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@
Library
-------
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+ before checking for a CGI script at that path.
+
- Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
parameter. Bug reported by Guido Vranken.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list