New submission from Glenn Linderman <v+pyt...@g.nevcal.com>:
While is_cgi carefully normalizes the path using _url_collapse_path, if it
returns True, then run_cgi is called... which sort of starts out using the
cgi_info created by is_cgi, but then compares and searches using the original
self.path value instead. This effectively bypasses both the normalization done
by _url_collapse_path and the bugs and potential security problems that the
normalization was intended to fix!
A simple cure is to replace the first two lines of run_cgi:
path = self.path
dir, rest = self.cgi_info
with:
dir, rest = self.cgi_info
path = '/'.join([ dir, rest ])
While this works, one might wonder why is_cgi splits the normalized path into
two pieces to start with, if it gets recombined, and generally, dir and rest,
although initialized from cgi_info, often get recalculated in the loop which
immediately follows in run_cgi... more often than you might expect, if an
unnormalized path is in the original request, but if the path comes in
normalized (or the above fix is applied), and the CGI program actually resides
directly in one of the cgi_directories directories (rather than below it), then
the dir and rest calculated by is_cgi are actually used, and the loop performs
only one half iteration.
----------
components: Library (Lib)
messages: 158162
nosy: orsenthil, v+python
priority: normal
severity: normal
status: open
title: run_cgi reverts to using unnormalized path
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue14566>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
