[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2014-07-12 Thread Ned Deily 

Ned Deily added the comment:

See Issue21323 for details of a problem introduced by the original fixes for 
this problem and now fixed (except for 3.1 which is now end-of-life).

--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2014-07-12 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset d367ea865ea4 by Ned Deily in branch '2.7':
Issue #21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/d367ea865ea4

New changeset 4de94641ba3e by Ned Deily in branch '3.2':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/4de94641ba3e

New changeset b957f475e41e by Ned Deily in branch '3.3':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/b957f475e41e

New changeset 385f4406dc26 by Ned Deily in branch '3.4':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/385f4406dc26

New changeset 22e5a85ba840 by Ned Deily in branch 'default':
Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/22e5a85ba840

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-31 Thread Arfrever Frehtes Taifersar Arahesis 

Changes by Arfrever Frehtes Taifersar Arahesis :


--
nosy: +Arfrever

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-30 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset e4fe8fcaef0d by Benjamin Peterson in branch '2.7':
use the collapsed path in the run_cgi method (closes #19435)
http://hg.python.org/cpython/rev/e4fe8fcaef0d

New changeset b1ddcb220a7f by Benjamin Peterson in branch '3.1':
use the collapsed path in the run_cgi method (closes #19435)
http://hg.python.org/cpython/rev/b1ddcb220a7f

New changeset dda1a32748e0 by Benjamin Peterson in branch '3.2':
merge 3.1 (#19435)
http://hg.python.org/cpython/rev/dda1a32748e0

New changeset 544b654d000c by Benjamin Peterson in branch '3.3':
merge 3.2 (#19435)
http://hg.python.org/cpython/rev/544b654d000c

New changeset 493a99acaf00 by Benjamin Peterson in branch 'default':
merge 3.3 (#19435)
http://hg.python.org/cpython/rev/493a99acaf00

--
nosy: +python-dev
resolution:  -> fixed
stage: test needed -> committed/rejected
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread Benjamin Peterson 

Benjamin Peterson added the comment:

Patch

--
keywords: +patch
Added file: http://bugs.python.org/file32413/cgi.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread janzert 

Changes by janzert :


--
nosy: +janzert

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread Stéphane Glondu 

Changes by Stéphane Glondu :


--
nosy: +glondu

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread Barry A. Warsaw 

Changes by Barry A. Warsaw :


--
nosy: +barry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread Christian Heimes 

Christian Heimes added the comment:

I can confirm the issue:

$ mkdir www
$ cd www
$ cat << EOF > badscript.sh
#!/bin/sh
echo hacked
EOF
$ chmod +x badscript.sh
$ ../python -m http.server --cgi


$ echo "GET ///badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 
8000
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/3.4.0a4+
Date: Tue, 29 Oct 2013 16:47:22 GMT
hacked

--
assignee:  -> christian.heimes
nosy: +benjamin.peterson, georg.brandl, larry
priority: normal -> release blocker
stage:  -> test needed
versions: +Python 2.7, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread STINNER Victor 

Changes by STINNER Victor :


--
nosy: +christian.heimes, haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue19435] Directory traversal attack for CGIHTTPRequestHandler

2013-10-29 Thread Alexander Kruppa 

New submission from Alexander Kruppa:

An error in separating the path and filename of the CGI script to run in 
http.server.CGIHTTPRequestHandler allows running arbitrary executables in the 
directory under which the server was started.

The problem is that in CGIHTTPRequestHandler we have:

  def run_cgi(self):
  """Execute a CGI script."""
  path = self.path
  dir, rest = self.cgi_info
  
  i = path.find('/', len(dir) + 1)

where path is the uncollapsed path in the URL, but cgi_info contains the first 
path segment and the rest from the *collapsed* path as filled in by is_cgi(), 
so indexing into path via len(dir) is incorrect.

An example exploit is giving the request path:

///badscript.sh/../cgi-bin/cgi.sh

Note that Firefox and wget at least simplify the path in the request; to make 
sure this exact path is used, do for example:

  (echo "GET ///badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | 
telnet localhost 4443

This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the 
directory in which the server was started, so script execution is not 
restricted to the cgi-bin/ or htbin/ subdirectories.

--
components: Library (Lib)
messages: 201645
nosy: Alexander.Kruppa
priority: normal
severity: normal
status: open
title: Directory traversal attack for CGIHTTPRequestHandler
type: security
versions: Python 3.2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com