changeset: 91181:f8b3bb5eb190 parent: 91176:7884e42183ed parent: 91180:847e288d6e93 user: Benjamin Peterson date: Sat Jun 14 18:41:31 2014 -0700 files: Misc/NEWS description: merge 3.4 (#21766) diff -r 7884e42183ed -r f8b3bb5eb190 Lib/http/server.py --- a/Lib/http/server.py Sat Jun 14 16:43:35 2014 -0700 +++ b/Lib/http/server.py Sat Jun 14 18:41:31 2014 -0700 @@ -977,7 +977,7 @@ (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: diff -r 7884e42183ed -r f8b3bb5eb190 Lib/test/test_httpservers.py --- a/Lib/test/test_httpservers.py Sat Jun 14 16:43:35 2014 -0700 +++ b/Lib/test/test_httpservers.py Sat Jun 14 18:41:31 2014 -0700 @@ -485,6 +485,11 @@ (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): diff -r 7884e42183ed -r f8b3bb5eb190 Misc/NEWS --- a/Misc/NEWS Sat Jun 14 16:43:35 2014 -0700 +++ b/Misc/NEWS Sat Jun 14 18:41:31 2014 -0700 @@ -106,6 +106,9 @@ run_forever() and run_until_complete() methods of asyncio.BaseEventLoop now raise an exception if the event loop was closed. +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Issue #21310: Fixed possible resource leak in failed open(). - Issue #21256: Printout of keyword args should be in deterministic order in