forked from fedora-python/python26
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2014-4650.patch
35 lines (31 loc) · 1.49 KB
/
CVE-2014-4650.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1402796189 25200
# Node ID b4bab078876811c7d95231d08aa6fa7142fdda66
# Parent bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef
url unquote the path before checking if it refers to a CGI script (closes #21766)
diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py
--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
path begins with one of the strings in self.cgi_directories
(and the next character is a '/' or the end of the string).
"""
- splitpath = _url_collapse_path_split(self.path)
+ splitpath = _url_collapse_path_split(urllib.unquote(self.path))
if splitpath[0] in self.cgi_directories:
self.cgi_info = splitpath
return True
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase
(res.read(), res.getheader('Content-type'), res.status))
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ def test_urlquote_decoding_in_cgi_check(self):
+ res = self.request('/cgi-bin%2ffile1.py')
+ self.assertEqual((b'Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
""" Test url parsing """