This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Alexander.Kruppa
Recipients Alexander.Kruppa
Date 2013-10-29.16:34:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.

The problem is that in CGIHTTPRequestHandler we have:

  def run_cgi(self):    
      """Execute a CGI script."""    
      path = self.path    
      dir, rest = self.cgi_info    
      i = path.find('/', len(dir) + 1)    

where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.

An example exploit is giving the request path:


Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:

  (echo "GET /////////// HTTP/1.1"; echo) | telnet localhost 4443

This causes the CGIHTTPRequestHandler to execute the file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.
Date User Action Args
2013-10-29 16:34:01Alexander.Kruppasetrecipients: + Alexander.Kruppa
2013-10-29 16:34:01Alexander.Kruppasetmessageid: <>
2013-10-29 16:34:01Alexander.Kruppalinkissue19435 messages
2013-10-29 16:34:01Alexander.Kruppacreate