This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: CGIHTTPServer doesn't quote arguments correctly on Windows.
Type: Stage:
Components: Library (Lib) Versions: Python 2.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: akuchling Nosy List: akuchling, allanbwilson, insomnike
Priority: normal Keywords:

Created on 2003-03-03 21:06 by allanbwilson, last changed 2022-04-10 16:07 by admin. This issue is now closed.

Messages (3)
msg14925 - (view) Author: Allan B. Wilson (allanbwilson) Date: 2003-03-03 21:06
In module CGIHTTPServer.py, in the section containing 
the following:

-----

        elif self.have_popen2 or self.have_popen3:
            # Windows -- use popen2 or popen3 to create a 
subprocess
            import shutil
            if self.have_popen3:
                popenx = os.popen3
            else:
                popenx = os.popen2
            cmdline = scriptfile
            if self.is_python(scriptfile):
                interp = sys.executable
                if interp.lower().endswith("w.exe"):
                    # On Windows, use python.exe, not 
pythonw.exe
                    interp = interp[:-5] + interp[-4:]
                cmdline = "%s -u %s" % (interp, cmdline)

-----

The final line, number 231 in my copy (version 0.4 in 
Python 2.2.2), doesn't handle filespecs with embedded 
spaces correctly. A script named, for example, "Powers 
of two.py" won't be found. This can be fixed by changing 
the quoting, namely to:

                cmdline = '%s -u "%s"' % (interp, cmdline)

so that the script name in cmdline is quoted properly.

Note that embedded spaces in interp could also cause 
problems (if Python were installed in C:\Program Files\ 
for example), but though adding "s around the first %s 
works for commands executed directly within Windows 
XP's cmd.exe, I couldn't get os.popen3 to handle them.

Thanks for your help.

Allan Wilson
msg14926 - (view) Author: Aaron Brady (insomnike) Date: 2004-06-05 19:22
Logged In: YES 
user_id=1057404

The above isn't safe, and if the command is devoid of '=' or
'"', it's run with quotes (in CVS HEAD as of 05/Jun/2004).
msg14927 - (view) Author: A.M. Kuchling (akuchling) * (Python committer) Date: 2004-06-05 19:23
Logged In: YES 
user_id=11375

Fixed in HEAD; closing.
History
Date User Action Args
2022-04-10 16:07:19adminsetgithub: 38091
2003-03-03 21:06:17allanbwilsoncreate