This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Unsupported provider

classification
Title: Directory traversal attack for CGIHTTPRequestHandler
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.2, Python 3.3, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Alexander.Kruppa, Arfrever, barry, benjamin.peterson, christian.heimes, georg.brandl, glondu, janzert, larry, ned.deily, python-dev, vstinner
Priority: release blocker Keywords: patch

Created on 2013-10-29 16:34 by Alexander.Kruppa, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
cgi.patch benjamin.peterson, 2013-10-29 21:10 review
Messages (6)
msg201645 - (view) Author: Alexander Kruppa (Alexander.Kruppa) Date: 2013-10-29 16:34
An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.

The problem is that in CGIHTTPRequestHandler we have:

  def run_cgi(self):    
      """Execute a CGI script."""    
      path = self.path    
      dir, rest = self.cgi_info    
  
      i = path.find('/', len(dir) + 1)    

where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.

An example exploit is giving the request path:

///////////badscript.sh/../cgi-bin/cgi.sh

Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:

  (echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443

This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.
msg201647 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-10-29 16:48
I can confirm the issue:

$ mkdir www
$ cd www
$ cat << EOF > badscript.sh
#!/bin/sh
echo hacked
EOF
$ chmod +x badscript.sh
$ ../python -m http.server --cgi


$ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/3.4.0a4+
Date: Tue, 29 Oct 2013 16:47:22 GMT
hacked
msg201673 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2013-10-29 21:10
Patch
msg201747 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2013-10-30 16:51
New changeset e4fe8fcaef0d by Benjamin Peterson in branch '2.7':
use the collapsed path in the run_cgi method (closes #19435)
http://hg.python.org/cpython/rev/e4fe8fcaef0d

New changeset b1ddcb220a7f by Benjamin Peterson in branch '3.1':
use the collapsed path in the run_cgi method (closes #19435)
http://hg.python.org/cpython/rev/b1ddcb220a7f

New changeset dda1a32748e0 by Benjamin Peterson in branch '3.2':
merge 3.1 (#19435)
http://hg.python.org/cpython/rev/dda1a32748e0

New changeset 544b654d000c by Benjamin Peterson in branch '3.3':
merge 3.2 (#19435)
http://hg.python.org/cpython/rev/544b654d000c

New changeset 493a99acaf00 by Benjamin Peterson in branch 'default':
merge 3.3 (#19435)
http://hg.python.org/cpython/rev/493a99acaf00
msg222911 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-07-13 05:21
New changeset d367ea865ea4 by Ned Deily in branch '2.7':
Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/d367ea865ea4

New changeset 4de94641ba3e by Ned Deily in branch '3.2':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/4de94641ba3e

New changeset b957f475e41e by Ned Deily in branch '3.3':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/b957f475e41e

New changeset 385f4406dc26 by Ned Deily in branch '3.4':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/385f4406dc26

New changeset 22e5a85ba840 by Ned Deily in branch 'default':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/22e5a85ba840
msg222913 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2014-07-13 05:34
See Issue21323 for details of a problem introduced by the original fixes for this problem and now fixed (except for 3.1 which is now end-of-life).
History
Date User Action Args
2022-04-11 14:57:52adminsetgithub: 63634
2015-10-02 00:47:18martin.panterlinkissue14566 superseder
2014-07-13 05:34:43ned.deilysetnosy: + ned.deily
messages: + msg222913
2014-07-13 05:21:15python-devsetmessages: + msg222911
2013-11-01 00:39:27Arfreversetnosy: + Arfrever
2013-10-30 16:51:29python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg201747

resolution: fixed
stage: test needed -> resolved
2013-10-29 21:10:13benjamin.petersonsetfiles: + cgi.patch
keywords: + patch
messages: + msg201673
2013-10-29 18:49:24janzertsetnosy: + janzert
2013-10-29 16:54:48glondusetnosy: + glondu
2013-10-29 16:51:02barrysetnosy: + barry
2013-10-29 16:48:40christian.heimessetpriority: normal -> release blocker

assignee: christian.heimes
versions: + Python 2.7, Python 3.3, Python 3.4
nosy: + larry, benjamin.peterson, georg.brandl

messages: + msg201647
stage: test needed
2013-10-29 16:35:41vstinnersetnosy: + vstinner, christian.heimes
2013-10-29 16:34:01Alexander.Kruppacreate