This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: run_cgi reverts to using unnormalized path
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: Directory traversal attack for CGIHTTPRequestHandler
View: 19435
Assigned To: Nosy List: BreamoreBoy, martin.panter, orsenthil, v+python
Priority: normal Keywords:

Created on 2012-04-12 19:01 by v+python, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (3)
msg158162 - (view) Author: Glenn Linderman (v+python) * Date: 2012-04-12 19:01
While is_cgi carefully normalizes the path using _url_collapse_path, if it returns True, then run_cgi is called... which sort of starts out using the cgi_info created by is_cgi, but then compares and searches using the original self.path value instead.  This effectively bypasses both the normalization done by _url_collapse_path and the bugs and potential security problems that the normalization was intended to fix!

A simple cure is to replace the first two lines of run_cgi:

        path = self.path
        dir, rest = self.cgi_info


        dir, rest = self.cgi_info
        path = '/'.join([ dir, rest ])

While this works, one might wonder why is_cgi splits the normalized path into two pieces to start with, if it gets recombined, and generally, dir and rest, although initialized from cgi_info, often get recalculated in the loop which immediately follows in run_cgi... more often than you might expect, if an unnormalized path is in the original request, but if the path comes in normalized (or the above fix is applied), and the CGI program actually resides directly in one of the cgi_directories directories (rather than below it), then the dir and rest calculated by is_cgi are actually used, and the loop performs only one half iteration.
msg222249 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2014-07-04 00:39
Can we have a response to this security issue please.
msg252075 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-10-02 00:47
This was also reported in Issue 19435. The combination changes for Issue 19435 + Issue 21323 looks essentially like the proposed change here.

Issue 14567 remains about the double processing of paths.
Date User Action Args
2022-04-11 14:57:29adminsetgithub: 58771
2015-10-02 00:47:18martin.pantersetstatus: open -> closed

superseder: Directory traversal attack for CGIHTTPRequestHandler

nosy: + martin.panter
messages: + msg252075
resolution: duplicate
stage: resolved
2014-08-30 04:18:32terry.reedysetversions: - Python 2.6, Python 3.1
2014-07-04 00:39:46BreamoreBoysetnosy: + BreamoreBoy

messages: + msg222249
versions: + Python 3.4, Python 3.5
2012-04-12 19:01:10v+pythoncreate