1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
$NetBSD: patch-SA43463,v 1.1.2.2 2011/03/01 10:04:22 sbd Exp $
Fix information disclosure vulnerability reported in SA43463.
Patch taken from the Python SVN repository:
http://svn.python.org/view?view=revision&revision=71303
--- Lib/CGIHTTPServer.py.orig 2009-11-11 17:24:53.000000000 +0000
+++ Lib/CGIHTTPServer.py 2011-02-28 22:16:27.000000000 +0000
@@ -70,27 +70,20 @@
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
def is_cgi(self):
- """Test whether self.path corresponds to a CGI script,
- and return a boolean.
+ """Test whether self.path corresponds to a CGI script.
- This function sets self.cgi_info to a tuple (dir, rest)
- when it returns True, where dir is the directory part before
- the CGI script name. Note that rest begins with a
- slash if it is not empty.
-
- The default implementation tests whether the path
- begins with one of the strings in the list
- self.cgi_directories (and the next character is a '/'
- or the end of the string).
+ Returns True and updates the cgi_info attribute to the tuple
+ (dir, rest) if self.path requires running a CGI script.
+ Returns False otherwise.
+
+ The default implementation tests whether the normalized url
+ path begins with one of the strings in self.cgi_directories
+ (and the next character is a '/' or the end of the string).
"""
-
- path = self.path
-
- for x in self.cgi_directories:
- i = len(x)
- if path[:i] == x and (not path[i:] or path[i] == '/'):
- self.cgi_info = path[:i], path[i+1:]
- return True
+ splitpath = _url_collapse_path_split(self.path)
+ if splitpath[0] in self.cgi_directories:
+ self.cgi_info = splitpath
+ return True
return False
cgi_directories = ['/cgi-bin', '/htbin']
@@ -299,6 +292,46 @@
self.log_message("CGI script exited OK")
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+ """
+ Given a URL path, remove extra '/'s and '.' path elements and collapse
+ any '..' references.
+
+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+ Returns: A tuple of (head, tail) where tail is everything after the final /
+ and head is everything before it. Head will always start with a '/' and,
+ if it contains anything else, never have a trailing '/'.
+
+ Raises: IndexError if too many '..' occur within the path.
+ """
+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+ # path semantics rather than local operating system semantics.
+ path_parts = []
+ for part in path.split('/'):
+ if part == '.':
+ path_parts.append('')
+ else:
+ path_parts.append(part)
+ # Filter out blank non trailing parts before consuming the '..'.
+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+ if path_parts:
+ tail_part = path_parts.pop()
+ else:
+ tail_part = ''
+ head_parts = []
+ for part in path_parts:
+ if part == '..':
+ head_parts.pop()
+ else:
+ head_parts.append(part)
+ if tail_part and tail_part == '..':
+ head_parts.pop()
+ tail_part = ''
+ return ('/' + '/'.join(head_parts), tail_part)
+
+
nobody = None
def nobody_uid():
|