- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are

now collapsed within the url properly before looking in cgi_directories.
2025-10-31 05:31:20 +00:00 · 2009-04-06 06:33:26 +00:00 · 2009-04-06 06:33:26 +00:00 · 923ba361d8
commit 923ba361d8
parent 183028ed79
3 changed files with 100 additions and 18 deletions
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -7,6 +7,7 @@
 from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 from SimpleHTTPServer import SimpleHTTPRequestHandler
 from CGIHTTPServer import CGIHTTPRequestHandler
+import CGIHTTPServer

 import os
 import sys
@ -315,6 +316,45 @@ def tearDown(self):
        finally:
            BaseTestCase.tearDown(self)

+    def test_url_collapse_path_split(self):
+        test_vectors = {
+            '': ('/', ''),
+            '..': IndexError,
+            '/.//..': IndexError,
+            '/': ('/', ''),
+            '//': ('/', ''),
+            '/\\': ('/', '\\'),
+            '/.//': ('/', ''),
+            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+            'a': ('/', 'a'),
+            '/a': ('/', 'a'),
+            '//a': ('/', 'a'),
+            './a': ('/', 'a'),
+            './C:/': ('/C:', ''),
+            '/a/b': ('/a', 'b'),
+            '/a/b/': ('/a/b', ''),
+            '/a/b/c/..': ('/a/b', ''),
+            '/a/b/c/../d': ('/a/b', 'd'),
+            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
+            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
+            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
+            '../a/b/c/../d/e/.././././..//f': IndexError,
+            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
+            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
+            '/a/b/c/../d/e/../../../../../f': IndexError,
+            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
+        }
+        for path, expected in test_vectors.iteritems():
+            if isinstance(expected, type) and issubclass(expected, Exception):
+                self.assertRaises(expected,
+                                  CGIHTTPServer._url_collapse_path_split, path)
+            else:
+                actual = CGIHTTPServer._url_collapse_path_split(path)
+                self.assertEquals(expected, actual,
+                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
+                                  path, actual, expected))
+
    def test_headers_and_content(self):
        res = self.request('/cgi-bin/file1.py')
        self.assertEquals(('Hello World\n', 'text/html', 200), \
@ -339,6 +379,12 @@ def test_authorization(self):
        self.assertEquals(('Hello World\n', 'text/html', 200), \
             (res.read(), res.getheader('Content-type'), res.status))

+    def test_no_leading_slash(self):
+        # http://bugs.python.org/issue2254
+        res = self.request('cgi-bin/file1.py')
+        self.assertEquals(('Hello World\n', 'text/html', 200),
+             (res.read(), res.getheader('Content-type'), res.status))
+

 def test_main(verbose=None):
    try: