homepage

While is_cgi carefully normalizes the path using _url_collapse_path, if it returns True, then run_cgi is called... which sort of starts out using the cgi_info created by is_cgi, but then compares and searches using the original self.path value instead. This effectively bypasses both the normalization done by _url_collapse_path and the bugs and potential security problems that the normalization was intended to fix!
A simple cure is to replace the first two lines of run_cgi:
 path = self.path
 dir, rest = self.cgi_info
with:
 dir, rest = self.cgi_info
 path = '/'.join([ dir, rest ])
While this works, one might wonder why is_cgi splits the normalized path into two pieces to start with, if it gets recombined, and generally, dir and rest, although initialized from cgi_info, often get recalculated in the loop which immediately follows in run_cgi... more often than you might expect, if an unnormalized path is in the original request, but if the path comes in normalized (or the above fix is applied), and the CGI program actually resides directly in one of the cgi_directories directories (rather than below it), then the dir and rest calculated by is_cgi are actually used, and the loop performs only one half iteration.

Can we have a response to this security issue please.

This was also reported in Issue 19435. The combination changes for Issue 19435 + Issue 21323 looks essentially like the proposed change here.
Issue 14567 remains about the double processing of paths.