homepage

================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).
================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.
================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: 2008年3月07日 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: 2008年3月07日 14:55:04 GMT
#!/usr/bin/env python
print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.
================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: 2008年3月07日 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache
Hello
Connection closed by foreign host.
================================================================================

I'm attaching a patch that fixes this, it was done for rev 61179 (trunk).
Note that is_cgi method is incorrectly documented, even more now. Only
the first line in its docstring is correct now, before this patch, last
paragraph was correct too.

oops, I was doing some tests in the last patch and left a bug in it. I'm
attaching a new one.

This corrects is_cgi docstring (maybe this should be done in a new
issue?). It also removes a part of it that I believe to not be
necessary, someone correct me if I'm wrong.

Could you please create a test case for this as a patch to
Lib/test/test_httpservers.py?
thanks!

fyi - Your patch does not work on windows as it uses os.path for uri
manipulation. that means it behaves differently with regards to / and \
based on platform.
I'm making a new one. I've written a unittest. should be fixed soon.

Fixed in trunk r71303.
This potentially changes the behavior of CGIHTTPServer (for the better)
so this is probably not appropriate to backport to a release branch
unless someone really considers the security of this to be severe.
If backported, the new module function should be expanded inline to
avoid adding a new (though undocumented) API.
Closing.