New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CGIHTTPServer module discard continuous '/' letters from params given by GET method. #68845
Comments
I executed CGIHTTPServer and requested the following URI, I looked in CGIHTTPServer.py and found _url_collapse_path function |
This bug seems to remain in Python 3.5.0. How to reproduce:
2. Run CGIHTTPRequestHandler
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import http.server
>>> http.server.test(HandlerClass=http.server.CGIHTTPRequestHandler)
|
Yes it also seems to apply to Python 3. Perhaps you forgot your test script, so I made my own. After running python3 -m http.server --cgi The response from the following URL has no double slashes to be seen: http://localhost:8000/cgi-bin/test.py//x//y//?k=aa%2F%2Fbb&//q//p//=//a//b// I am not a CGI expert, but I suspect the query string bits should have double slashes, but maybe the PATH_INFO is right not to (see RFC 3875). |
I think this is a bug. According to the rfcs, "/" is a reserved character in query component and continuous "/" in query component may be invalid and how to deal with it depends on the server. But encoded "/", %2F, acts as data and should be preserved. And from rfc3875, QUERY_STRING must be passed encoded. I tested in apache2.4 with martin's script, query string is: ('QUERY_STRING', 'k=aa%2F%2Fbb&//q//p//=//a//b//') In python's CGI server, it is: ('QUERY_STRING', 'k=aa/bb&/q/p/=/a/b/'), |
The path with query component are unquoted entirely and then pass into ('QUERY_STRING', 'k=aa%2F%2Fbb&//q//p//=//a//b//') has the same behaviour with apache. |
It would be good to have a regression test case for this one too. |
Add the testcase and use str.partition. |
The patch looks like it will fix this particular bug without much negative impact. However there are plenty of other problems with this module’s URL handling, see bpo-14567. I think the translate_path(), _url_collapse_path(), is_cgi(), run_cgi(), etc functions all need a good rewrite. Anyway it might be worth going ahead and committing this straight away, whether or not anyone is motivated to fix the wider issue later on. |
Yes, there seems to still exist some defects not conforming to the |
New changeset 634fe6a90e0c by Martin Panter in branch '3.4': New changeset ba1e3c112e42 by Martin Panter in branch '3.5': New changeset 88918f2a54df by Martin Panter in branch '3.5': New changeset 0f03023d4318 by Martin Panter in branch 'default': New changeset 3c006ee38287 by Martin Panter in branch 'default': |
New changeset a4302005f9a2 by Martin Panter in branch '2.7': |
Thanks everyone for the reports and patches. There were a couple of subtle compatibility tweaks needed for the 3.4 and 2.7 branches, but I think I got them all. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: