blob: 277b218a04b2c17059ad244f34c0b18254a66dba (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
$NetBSD: patch-Lib_CGIHTTPServer.py,v 1.2.2.2 2014/07/05 11:13:52 tron Exp $
Fix for directory-traversal vulnerability, ref.
http://bugs.python.org/issue21766
--- Lib/CGIHTTPServer.py.orig 2014-06-09 11:29:36.000000000 +0000
+++ Lib/CGIHTTPServer.py
@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
path begins with one of the strings in self.cgi_directories
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(self.path)
+ collapsed_path = _url_collapse_path(urllib.unquote(self.path))
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
|
