1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
Origin: http://hg.python.org/cpython/rev/c6c4398293bd/
Description: Fix CGIHTTPServer information disclosure. Relative paths are now
collapsed within the url properly before looking in cgi_directories.
Bug: http://bugs.python.org/2254
diff -Naurp python2.6-2.6.7/Lib/CGIHTTPServer.py python2.6-2.6.7.new/Lib/CGIHTTPServer.py
--- python2.6-2.6.7/Lib/CGIHTTPServer.py 2009-11-11 11:24:53.000000000 -0600
+++ python2.6-2.6.7.new/Lib/CGIHTTPServer.py 2012-09-27 16:56:42.000000000 -0500
@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
def is_cgi(self):
- """Test whether self.path corresponds to a CGI script,
- and return a boolean.
+ """Test whether self.path corresponds to a CGI script.
- This function sets self.cgi_info to a tuple (dir, rest)
- when it returns True, where dir is the directory part before
- the CGI script name. Note that rest begins with a
- slash if it is not empty.
-
- The default implementation tests whether the path
- begins with one of the strings in the list
- self.cgi_directories (and the next character is a '/'
- or the end of the string).
+ Returns True and updates the cgi_info attribute to the tuple
+ (dir, rest) if self.path requires running a CGI script.
+ Returns False otherwise.
+
+ The default implementation tests whether the normalized url
+ path begins with one of the strings in self.cgi_directories
+ (and the next character is a '/' or the end of the string).
"""
-
- path = self.path
-
- for x in self.cgi_directories:
- i = len(x)
- if path[:i] == x and (not path[i:] or path[i] == '/'):
- self.cgi_info = path[:i], path[i+1:]
- return True
+ splitpath = _url_collapse_path_split(self.path)
+ if splitpath[0] in self.cgi_directories:
+ self.cgi_info = splitpath
+ return True
return False
cgi_directories = ['/cgi-bin', '/htbin']
@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
self.log_message("CGI script exited OK")
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+ """
+ Given a URL path, remove extra '/'s and '.' path elements and collapse
+ any '..' references.
+
+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+ Returns: A tuple of (head, tail) where tail is everything after the final /
+ and head is everything before it. Head will always start with a '/' and,
+ if it contains anything else, never have a trailing '/'.
+
+ Raises: IndexError if too many '..' occur within the path.
+ """
+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+ # path semantics rather than local operating system semantics.
+ path_parts = []
+ for part in path.split('/'):
+ if part == '.':
+ path_parts.append('')
+ else:
+ path_parts.append(part)
+ # Filter out blank non trailing parts before consuming the '..'.
+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+ if path_parts:
+ tail_part = path_parts.pop()
+ else:
+ tail_part = ''
+ head_parts = []
+ for part in path_parts:
+ if part == '..':
+ head_parts.pop()
+ else:
+ head_parts.append(part)
+ if tail_part and tail_part == '..':
+ head_parts.pop()
+ tail_part = ''
+ return ('/' + '/'.join(head_parts), tail_part)
+
+
nobody = None
def nobody_uid():
diff -Naurp python2.6-2.6.7/Lib/test/test_httpservers.py python2.6-2.6.7.new/Lib/test/test_httpservers.py
--- python2.6-2.6.7/Lib/test/test_httpservers.py 2010-04-25 17:09:32.000000000 -0500
+++ python2.6-2.6.7.new/Lib/test/test_httpservers.py 2012-09-27 16:56:42.000000000 -0500
@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
from CGIHTTPServer import CGIHTTPRequestHandler
+import CGIHTTPServer
import os
import sys
@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
finally:
BaseTestCase.tearDown(self)
+ def test_url_collapse_path_split(self):
+ test_vectors = {
+ '': ('/', ''),
+ '..': IndexError,
+ '/.//..': IndexError,
+ '/': ('/', ''),
+ '//': ('/', ''),
+ '/\\': ('/', '\\'),
+ '/.//': ('/', ''),
+ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+ 'a': ('/', 'a'),
+ '/a': ('/', 'a'),
+ '//a': ('/', 'a'),
+ './a': ('/', 'a'),
+ './C:/': ('/C:', ''),
+ '/a/b': ('/a', 'b'),
+ '/a/b/': ('/a/b', ''),
+ '/a/b/c/..': ('/a/b', ''),
+ '/a/b/c/../d': ('/a/b', 'd'),
+ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
+ '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
+ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
+ '../a/b/c/../d/e/.././././..//f': IndexError,
+ '/a/b/c/../d/e/../../../f': ('/a', 'f'),
+ '/a/b/c/../d/e/../../../../f': ('/', 'f'),
+ '/a/b/c/../d/e/../../../../../f': IndexError,
+ '/a/b/c/../d/e/../../../../f/..': ('/', ''),
+ }
+ for path, expected in test_vectors.iteritems():
+ if isinstance(expected, type) and issubclass(expected, Exception):
+ self.assertRaises(expected,
+ CGIHTTPServer._url_collapse_path_split, path)
+ else:
+ actual = CGIHTTPServer._url_collapse_path_split(path)
+ self.assertEquals(expected, actual,
+ msg='path = %r\nGot: %r\nWanted: %r' % (
+ path, actual, expected))
+
def test_headers_and_content(self):
res = self.request('/cgi-bin/file1.py')
self.assertEquals(('Hello World\n', 'text/html', 200), \
@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
self.assertEquals(('Hello World\n', 'text/html', 200), \
(res.read(), res.getheader('Content-type'), res.status))
+ def test_no_leading_slash(self):
+ # http://bugs.python.org/issue2254
+ res = self.request('cgi-bin/file1.py')
+ self.assertEquals(('Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
def test_main(verbose=None):
cwd = os.getcwd()
|
