Author gregory.p.smith
Recipients Arfrever, barry, benjamin.peterson, brett.cannon, dmalcolm, georg.brandl, gps, gregory.p.smith
Date 2011-02-13.05:42:12
SpamBayes Score 2.51838e-07
Marked as misclassified No
Message-id <1297575733.12.0.319385812353.issue11197@psf.upfronthosting.co.za>
In-reply-to
Content
Agreed, fixing this is going to be too complex for 3.2.0, it'll be done for 3.2.1.

Reading over the http.server Simple and CGI HTTPRequestHandler code I see there many problems with the way this code does things today.

General:
 * I'm not sure urllib.parse.unquote() is called on the path in the correct place all the time.  Studying of some RFCs will be required to confirm that.  Specifically the CGI handler unquotes the path before fixing it up.  The Simple handler never unquotes the path.

Simple (and subclasses such as CGI):
 * The mentioned directory traversal vulnerability.

CGI:
 * The _url_collapse_path_split called by is_cgi lets os.sep's through unchecked so a request for /foo/bar\..\..\..\..\..\../ for example should still find its way out on windows.  issue2254 wasn't 100% fixed.
 * _url_collapse_path_split should really ignore the query string and anchor; though the way it is used it likely just wastes time processing them and discarding the result.
 * It uses fork() + execve() on posix systems. It should always use subprocess instead in order to be thread safe.

The first thing I'll be doing is coming up with test cases demonstrating each of these issues.
History
Date User Action Args
2011-02-13 05:42:13gregory.p.smithsetrecipients: + gregory.p.smith, barry, brett.cannon, georg.brandl, gps, benjamin.peterson, Arfrever, dmalcolm
2011-02-13 05:42:13gregory.p.smithsetmessageid: <1297575733.12.0.319385812353.issue11197@psf.upfronthosting.co.za>
2011-02-13 05:42:12gregory.p.smithlinkissue11197 messages
2011-02-13 05:42:12gregory.p.smithcreate