[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Senthil Kumaran added the comment: Hello Glenn, Your suggestions were valid. I have made those changes in the code. Thanks! I think, we can close this bug now and move over to others. Thanks, Senthil -- status: open -> closed ___ Python tracker

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Roundup Robot added the comment: New changeset c67efb8ffca4 by Senthil Kumaran in branch '2.7': Issue 10484 - Incorporate improvements to CGI module - Suggested by Glenn Linderman. Refactor code and tests http://hg.python.org/cpython/rev/c67efb8ffca4 New changeset fc001124a3ee by Senthil Kumar

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: I note that there is no test for tail_part == '.'. I suggest adding a couple, such as the following which I added to my local copy for testing of the next item: '/a/b/.': ('/a/b', ''), '/a/b/c/../d/e/../../../../f/../.': ('/', ''),

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: A minor detail of efficiency: _url_collapse_path_split is used only one place, from is_cgi. _url_collapse_path_split splits the path, and is_cgi now puts it back together. This seems inefficient. Would it not be better for _url_collapse_path_split to be re

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: Senthil, thanks for your work on this. Regarding: I also looked at changes in the patches contained in issue 13893, but I found that those broke behavior or exhibited the security issue again. I'd be curious to know what problems you discovered, since I had

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Senthil Kumaran added the comment: I had to carefully review a lot of changes for this. In addition, I did setup a apache and tested the behaviors too. Few notes - - The test for _url_collapse_path_split is not directly helpful, especially for PATH_INFO. I removed my previous changes I had

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Roundup Robot added the comment: New changeset 89eeaa18700f by Senthil Kumaran in branch '2.7': fix the incorrect changes made for PATH_INFO value - Issue10484 http://hg.python.org/cpython/rev/89eeaa18700f New changeset 827a4062b1d6 by Senthil Kumaran in branch '3.2': 3.2- fix the incorrect cha

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: Senthil, from you patch, I discovered where the test_httpservers.py lives, and added '/cgi-bin/file1.py/../../a': ('/', 'a'), to a local copy, and it worked fine against whatever version of the server and tests it was running against... but tha

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: I just tested what Apache does with such a path as /cgi-bin/script.py/../../plain-file.html, and it serves the plain-file.html. -- ___ Python tracker ___

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: Another issue with the patch, is that it doesn't do .. and . collapsing on the PATH_INFO part of the path. It is possible for a path like /cgi-bin/script.py/../../plain-file.html to be passed to the server. I guess the question is if it should serve plain

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: Senthil, the patch you submitted breaks the encapsulation of cgi_directories -- this should be changeable per particular application via subclassing or assignment, but you've built those directories into the code. Perhaps you should take a look at my code f

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: In reviewing my code in this area, I also see that in addition to fixing _url_collapse_path_split, I override the location that uses it, which is the is_cgi function. Here is my code for the override, which actually creates a proper PATH_INFO string:

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Senthil Kumaran added the comment: I treated this as a regression from 2.6. A cgi url with /cgi-bin/hello.py/hello/world would have PATH_INFO as '/hello/world' I saw some apache specs saying that it should be 'hello/world', but I relied on python2.6's behavior with had initial '/'. Glenn, I

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Roundup Robot added the comment: New changeset bab9f29c93fd by Senthil Kumaran in branch '2.7': 2.7 - Issue #10484: Fix the CGIHTTPServer's PATH_INFO handling problem http://hg.python.org/cpython/rev/bab9f29c93fd New changeset 88c86869ce92 by Senthil Kumaran in branch '3.2': closes issue10484 -

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: I'm not sure what tests break or why, I suppose it is the ones for the security patch. I'm not sure which code you are referring to... the code in msg122259 I tested only cursorily, the (different) code in issue 13893 is what I'm running today, and so has b

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Senthil Kumaran added the comment: Actually no. I revert back my previous statement. Meddling with splitpath breaks all the tests. -- ___ Python tracker ___ __

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Senthil Kumaran added the comment: To note in the tracker, the original 2.6 code was changed in Issue 2254 and the relevant changeset is c6c4398293bd I find, Glenn's suggestion a possibly okay solution for PATH_INFO problem, keeping in tact the security issue the the previous change dealt wit

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: issue 13893 contains code that fixes this, and several other open issues. Sadly, I created that code by "debugging and rewriting until it worked", and only then teased apart the specific, separable issues that I had debugged and fixed, and created issues. I

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Senthil Kumaran added the comment: Oh Sorry. I shall fix this by this weekend. -- assignee: -> orsenthil ___ Python tracker ___ ___

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Giovanni Funchal added the comment: This is still an issue as of python 3.2.2 and is affecting me. -- nosy: +Giovanni.Funchal ___ Python tracker ___

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Glenn Linderman added the comment: Here is a replacement for the body of is_cgi that will work with the current _url_collapse_path_split function, but it seems to me that it is ineffecient to do multiple splits and joins of the path between the two functions. splitpath = server._u

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

Changes by Antoine Pitrou : -- nosy: +facundobatista, fdrake, orsenthil versions: +Python 3.1 ___ Python tracker ___ ___ Python-bugs-l

[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO

New submission from Glenn Linderman : is_cgi doesn't properly handle PATH_INFO parts of the path. The Python2.x CGIHTTPServer.py had this right, but the introduction and use of _url_collapse_path_split broke it. _url_collapse_path_split splits the URL into a two parts, the second part is gua