Fix CVE-2014-4650 - CGIHTTPServer URL handling

Resolves: rhbz#1113529
This commit is contained in:
Slavek Kabrda 2014-11-03 15:03:12 +01:00
parent 8d54999cc4
commit e0539fb2e7
2 changed files with 49 additions and 2 deletions

View File

@ -0,0 +1,34 @@
# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1402796473 25200
# Node ID 847e288d6e93dba049c280f40979e16a1378d0f6
# Parent 6f1f387759913d91cb307d2783b3a40c48fe7424# Parent 5676797f3a3eccaf38e2c500e77ed39c68923cc9
merge 3.3 (#21766)
diff --git a/Lib/http/server.py b/Lib/http/server.py
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(self.path)
+ collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase
(res.read(), res.getheader('Content-type'), res.status))
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ def test_urlquote_decoding_in_cgi_check(self):
+ res = self.request('/cgi-bin%2ffile1.py')
+ self.assertEqual((b'Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
def __init__(self):

View File

@ -140,7 +140,7 @@
Summary: Version 3 of the Python programming language aka Python 3000 Summary: Version 3 of the Python programming language aka Python 3000
Name: python3 Name: python3
Version: %{pybasever}.1 Version: %{pybasever}.1
Release: 15%{?dist} Release: 16%{?dist}
License: Python License: Python
Group: Development/Languages Group: Development/Languages
@ -689,6 +689,14 @@ Patch195: 00195-dont-add-Werror-declaration-after-statement.patch
# Fix test_gdb failure on ppc64le # Fix test_gdb failure on ppc64le
Patch196: 00196-test-gdb-match-addr-before-builtin.patch Patch196: 00196-test-gdb-match-addr-before-builtin.patch
# 00197
#
# The CGIHTTPServer Python module did not properly handle URL-encoded
# path separators in URLs. This may have enabled attackers to disclose a CGI
# script's source code or execute arbitrary scripts in the server's
# document root.
Patch197: 00197-fix-CVE-2014-4650.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
@ -967,6 +975,7 @@ done
%patch194 -p1 %patch194 -p1
%patch195 -p1 %patch195 -p1
%patch196 -p1 %patch196 -p1
%patch197 -p1
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
# are many differences between 2.6 and the Python 3 library. # are many differences between 2.6 and the Python 3 library.
@ -1856,7 +1865,11 @@ rm -fr %{buildroot}
# ====================================================== # ======================================================
%changelog %changelog
* Sun Sep 07 2014 Karsten Hopp <karsten@redhat.com> .1-15 * Mon Nov 03 2014 Slavek Kabrda <bkabrda@redhat.com> - 3.4.1-16
- Fix CVE-2014-4650 - CGIHTTPServer URL handling
Resolves: rhbz#1113529
* Sun Sep 07 2014 Karsten Hopp <karsten@redhat.com> 3.4.1-15
- exclude test_gdb on ppc* (rhbz#1132488) - exclude test_gdb on ppc* (rhbz#1132488)
* Thu Aug 21 2014 Slavek Kabrda <bkabrda@redhat.com> - 3.4.1-14 * Thu Aug 21 2014 Slavek Kabrda <bkabrda@redhat.com> - 3.4.1-14