Martin Panter added the comment:
This was also reported in Issue 19435. The combination changes for Issue 19435
+ Issue 21323 looks essentially like the proposed change here.
Issue 14567 remains about the double processing of paths.
--
nosy: +martin.panter
resolution: -> duplicate
Changes by Terry J. Reedy tjre...@udel.edu:
--
versions: -Python 2.6, Python 3.1
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14566
___
___
Mark Lawrence added the comment:
Can we have a response to this security issue please.
--
nosy: +BreamoreBoy
versions: +Python 3.4, Python 3.5
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14566
New submission from Glenn Linderman v+pyt...@g.nevcal.com:
While is_cgi carefully normalizes the path using _url_collapse_path, if it
returns True, then run_cgi is called... which sort of starts out using the
cgi_info created by is_cgi, but then compares and searches using the original
