Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,

broken by the fix for security issue #19435. Patch by Zach Byrne.

Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435. Patch by Zach Byrne.
d4273d3b · Ned Deily · 22be8e2b · 65fba576 · d4273d3b · d4273d3b
Commit d4273d3b authored Jul 12, 2014 by Ned Deily
30 changed files
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -994,16 +994,16 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
    def run_cgi(self):
        """Execute a CGI script."""
        dir, rest = self.cgi_info
-
-        i = rest.find('/')
+        path = dir + '/' + rest
+        i = path.find('/', len(dir)+1)
        while i >= 0:
-            nextdir = rest[:i]
-            nextrest = rest[i+1:]
+            nextdir = path[:i]
+            nextrest = path[i+1:]

            scriptdir = self.translate_path(nextdir)
            if os.path.isdir(scriptdir):
                dir, rest = nextdir, nextrest
-                i = rest.find('/')
+                i = path.find('/', len(dir)+1)
            else:
                break


--- a/Lib/lib2to3/tests/data/different_encoding.py
+++ b/Lib/lib2to3/tests/data/different_encoding.py
--- a/Lib/test/crashers/recursive_call.py
+++ b/Lib/test/crashers/recursive_call.py
--- a/Lib/test/curses_tests.py
+++ b/Lib/test/curses_tests.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -324,10 +324,13 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.cwd = os.getcwd()
        self.parent_dir = tempfile.mkdtemp()
        self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
+        self.cgi_child_dir = os.path.join(self.cgi_dir, 'child-dir')
        os.mkdir(self.cgi_dir)
+        os.mkdir(self.cgi_child_dir)
        self.nocgi_path = None
        self.file1_path = None
        self.file2_path = None
+        self.file3_path = None

        # The shebang line should be pure ASCII: use symlink if possible.
        # See issue #7668.
@@ -361,6 +364,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
            file2.write(cgi_file2 % self.pythonexe)
        os.chmod(self.file2_path, 0o777)

+        self.file3_path = os.path.join(self.cgi_child_dir, 'file3.py')
+        with open(self.file3_path, 'w', encoding='utf-8') as file3:
+            file3.write(cgi_file1 % self.pythonexe)
+        os.chmod(self.file3_path, 0o777)
+
        os.chdir(self.parent_dir)

    def tearDown(self):
@@ -374,6 +382,9 @@ class CGIHTTPServerTestCase(BaseTestCase):
                os.remove(self.file1_path)
            if self.file2_path:
                os.remove(self.file2_path)
+            if self.file3_path:
+                os.remove(self.file3_path)
+            os.rmdir(self.cgi_child_dir)
            os.rmdir(self.cgi_dir)
            os.rmdir(self.parent_dir)
        finally:
@@ -469,6 +480,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
                (res.read(), res.getheader('Content-type'), res.status))

+    def test_nested_cgi_path_issue21323(self):
+        res = self.request('/cgi-bin/child-dir/file3.py')
+        self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+

 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
    def __init__(self):

--- a/Lib/turtledemo/bytedesign.py
+++ b/Lib/turtledemo/bytedesign.py
--- a/Lib/turtledemo/clock.py
+++ b/Lib/turtledemo/clock.py
--- a/Lib/turtledemo/forest.py
+++ b/Lib/turtledemo/forest.py
--- a/Lib/turtledemo/fractalcurves.py
+++ b/Lib/turtledemo/fractalcurves.py
--- a/Lib/turtledemo/lindenmayer.py
+++ b/Lib/turtledemo/lindenmayer.py
--- a/Lib/turtledemo/minimal_hanoi.py
+++ b/Lib/turtledemo/minimal_hanoi.py
--- a/Lib/turtledemo/paint.py
+++ b/Lib/turtledemo/paint.py
--- a/Lib/turtledemo/peace.py
+++ b/Lib/turtledemo/peace.py
--- a/Lib/turtledemo/penrose.py
+++ b/Lib/turtledemo/penrose.py
--- a/Lib/turtledemo/planet_and_moon.py
+++ b/Lib/turtledemo/planet_and_moon.py
--- a/Lib/turtledemo/tree.py
+++ b/Lib/turtledemo/tree.py
--- a/Lib/turtledemo/two_canvases.py
+++ b/Lib/turtledemo/two_canvases.py
--- a/Lib/turtledemo/yinyang.py
+++ b/Lib/turtledemo/yinyang.py
--- a/Mac/PythonLauncher/MyDocument.h
+++ b/Mac/PythonLauncher/MyDocument.h
--- a/Mac/Tools/bundlebuilder.py
+++ b/Mac/Tools/bundlebuilder.py
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -186,6 +186,7 @@ Alastair Burt
 Tarn Weisner Burton
 Lee Busby
 Ralph Butler
+Zach Byrne
 Nicolas Cadou
 Jp Calderone
 Arnaud Calmettes

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -38,6 +38,9 @@ Library
  as documented.  The pattern and source keyword parameters are left as
  deprecated aliases.

+- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
+  broken by the fix for security issue #19435.  Patch by Zach Byrne.
+
 Tests
 -----


--- a/Modules/_ctypes/libffi/build-ios.sh
+++ b/Modules/_ctypes/libffi/build-ios.sh
--- a/Modules/_ctypes/libffi/generate-ios-source-and-headers.py
+++ b/Modules/_ctypes/libffi/generate-ios-source-and-headers.py
--- a/Modules/_ctypes/libffi/libtool-ldflags
+++ b/Modules/_ctypes/libffi/libtool-ldflags
--- a/Modules/_ctypes/libffi/msvcc.sh
+++ b/Modules/_ctypes/libffi/msvcc.sh
--- a/Modules/_ctypes/libffi/src/arm/gentramp.sh
+++ b/Modules/_ctypes/libffi/src/arm/gentramp.sh
--- a/Tools/pybench/Setup.py
+++ b/Tools/pybench/Setup.py
--- a/Tools/pybench/clockres.py
+++ b/Tools/pybench/clockres.py
--- a/Tools/test2to3/maintest.py
+++ b/Tools/test2to3/maintest.py