New submission from STINNER Victor <victor.stin...@haypocalc.com>: CGIHTTPRequestHandler.run_cgi() only checks if the script processing the request is executable if the file is not a Python script, but later it uses os.execve(scriptfile, ...) if os has a fork() function.
Moreover, the executable() functions checks if os.stat(path).st_mode & 0o111 != 0: this test is wrong if st_mode & 0o111 != 0o111. For example, if the script has mode 0700 and is not owned by the current user, executable() returns True, whereas it should be False. os.access(filename, os.X_OK) should be used instead. I found these issues while trying to understand the following failure on "FreeBSD 7.2 x86 3.x" buildbot: [320/356/2] test_httpservers Traceback (most recent call last): File "/usr/home/db3l/buildarea/3.x.bolen-freebsd7/build/Lib/http/server.py", line 1123, in run_cgi OSError: [Errno 13] Permission denied (...) I don't understand how it happens because test_httpservers uses os.chmod(script, 0o777). ---------- components: Library (Lib) messages: 137930 nosy: haypo priority: normal severity: normal status: open title: http.server.CGIHTTPRequestHandler doesn't check if a Python script is executable versions: Python 2.7, Python 3.2, Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12289> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
