merge 3.2 (#21766)

6cd1954c · Benjamin Peterson · 13266fb5 · 73b8b1cd · 6cd1954c · 6cd1954c
Commit 6cd1954c authored Jun 14, 2014 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

Lib/http/server.py Lib/http/server.py +1 -1

Lib/test/test_httpservers.py Lib/test/test_httpservers.py +5 -0

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -971,7 +971,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
        (and the next character is a '/' or the end of the string).

        """
-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
        dir_sep = collapsed_path.find('/', 1)
        head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
        if head in self.cgi_directories:

--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -464,6 +464,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
                (res.read(), res.getheader('Content-type'), res.status))
        self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)

+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+

 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
    def __init__(self):

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------

+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+  before checking for a CGI script at that path.
+
 - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
  parameter. Bug reported by Guido Vranken.