This repository has been archived by the owner on Apr 29, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
python-2.6.6-CVE-2011-1015.patch
161 lines (151 loc) · 6.51 KB
/
python-2.6.6-CVE-2011-1015.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
diff -up Python-2.6.6/Lib/CGIHTTPServer.py.CVE-2011-1015 Python-2.6.6/Lib/CGIHTTPServer.py
--- Python-2.6.6/Lib/CGIHTTPServer.py.CVE-2011-1015 2009-11-11 12:24:53.000000000 -0500
+++ Python-2.6.6/Lib/CGIHTTPServer.py 2011-04-07 19:38:49.764397255 -0400
@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
def is_cgi(self):
- """Test whether self.path corresponds to a CGI script,
- and return a boolean.
+ """Test whether self.path corresponds to a CGI script.
- This function sets self.cgi_info to a tuple (dir, rest)
- when it returns True, where dir is the directory part before
- the CGI script name. Note that rest begins with a
- slash if it is not empty.
-
- The default implementation tests whether the path
- begins with one of the strings in the list
- self.cgi_directories (and the next character is a '/'
- or the end of the string).
+ Returns True and updates the cgi_info attribute to the tuple
+ (dir, rest) if self.path requires running a CGI script.
+ Returns False otherwise.
+
+ The default implementation tests whether the normalized url
+ path begins with one of the strings in self.cgi_directories
+ (and the next character is a '/' or the end of the string).
"""
-
- path = self.path
-
- for x in self.cgi_directories:
- i = len(x)
- if path[:i] == x and (not path[i:] or path[i] == '/'):
- self.cgi_info = path[:i], path[i+1:]
- return True
+ splitpath = _url_collapse_path_split(self.path)
+ if splitpath[0] in self.cgi_directories:
+ self.cgi_info = splitpath
+ return True
return False
cgi_directories = ['/cgi-bin', '/htbin']
@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
self.log_message("CGI script exited OK")
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+ """
+ Given a URL path, remove extra '/'s and '.' path elements and collapse
+ any '..' references.
+
+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+ Returns: A tuple of (head, tail) where tail is everything after the final /
+ and head is everything before it. Head will always start with a '/' and,
+ if it contains anything else, never have a trailing '/'.
+
+ Raises: IndexError if too many '..' occur within the path.
+ """
+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+ # path semantics rather than local operating system semantics.
+ path_parts = []
+ for part in path.split('/'):
+ if part == '.':
+ path_parts.append('')
+ else:
+ path_parts.append(part)
+ # Filter out blank non trailing parts before consuming the '..'.
+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+ if path_parts:
+ tail_part = path_parts.pop()
+ else:
+ tail_part = ''
+ head_parts = []
+ for part in path_parts:
+ if part == '..':
+ head_parts.pop()
+ else:
+ head_parts.append(part)
+ if tail_part and tail_part == '..':
+ head_parts.pop()
+ tail_part = ''
+ return ('/' + '/'.join(head_parts), tail_part)
+
+
nobody = None
def nobody_uid():
diff -up Python-2.6.6/Lib/test/test_httpservers.py.CVE-2011-1015 Python-2.6.6/Lib/test/test_httpservers.py
--- Python-2.6.6/Lib/test/test_httpservers.py.CVE-2011-1015 2010-04-25 18:09:32.000000000 -0400
+++ Python-2.6.6/Lib/test/test_httpservers.py 2011-04-07 19:34:42.956501202 -0400
@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
from CGIHTTPServer import CGIHTTPRequestHandler
+import CGIHTTPServer
import os
import sys
@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
finally:
BaseTestCase.tearDown(self)
+ def test_url_collapse_path_split(self):
+ test_vectors = {
+ '': ('/', ''),
+ '..': IndexError,
+ '/.//..': IndexError,
+ '/': ('/', ''),
+ '//': ('/', ''),
+ '/\\': ('/', '\\'),
+ '/.//': ('/', ''),
+ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+ 'a': ('/', 'a'),
+ '/a': ('/', 'a'),
+ '//a': ('/', 'a'),
+ './a': ('/', 'a'),
+ './C:/': ('/C:', ''),
+ '/a/b': ('/a', 'b'),
+ '/a/b/': ('/a/b', ''),
+ '/a/b/c/..': ('/a/b', ''),
+ '/a/b/c/../d': ('/a/b', 'd'),
+ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
+ '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
+ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
+ '../a/b/c/../d/e/.././././..//f': IndexError,
+ '/a/b/c/../d/e/../../../f': ('/a', 'f'),
+ '/a/b/c/../d/e/../../../../f': ('/', 'f'),
+ '/a/b/c/../d/e/../../../../../f': IndexError,
+ '/a/b/c/../d/e/../../../../f/..': ('/', ''),
+ }
+ for path, expected in test_vectors.iteritems():
+ if isinstance(expected, type) and issubclass(expected, Exception):
+ self.assertRaises(expected,
+ CGIHTTPServer._url_collapse_path_split, path)
+ else:
+ actual = CGIHTTPServer._url_collapse_path_split(path)
+ self.assertEquals(expected, actual,
+ msg='path = %r\nGot: %r\nWanted: %r' % (
+ path, actual, expected))
+
def test_headers_and_content(self):
res = self.request('/cgi-bin/file1.py')
self.assertEquals(('Hello World\n', 'text/html', 200), \
@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
self.assertEquals(('Hello World\n', 'text/html', 200), \
(res.read(), res.getheader('Content-type'), res.status))
+ def test_no_leading_slash(self):
+ # http://bugs.python.org/issue2254
+ res = self.request('cgi-bin/file1.py')
+ self.assertEquals(('Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
def test_main(verbose=None):
cwd = os.getcwd()
diff -up Python-2.6.6/Misc/NEWS.CVE-2011-1015 Python-2.6.6/Misc/NEWS