Glenn Linderman <v+pyt...@g.nevcal.com> added the comment:

Senthil, from you patch, I discovered where the test_httpservers.py lives, and 
added 

            '/cgi-bin/file1.py/../../a': ('/', 'a'),

to a local copy, and it worked fine against whatever version of the server and 
tests it was running against... but that was in test_url_collapse_path_split 
... I haven't figured out the full environment of the testing, or even if it 
launches an HTTP SERVER or only unittests particular functions within it, but 
it seems that that particular test is just testing the one function.  I'm not 
clear on where the tests actually test the activities of is_cgi or the creation 
of PATH_INFO, if that occurs. What time I've spent working with Python can be 
characterized as 99% application, 0.999% Python source to figure out how things 
work (or fail), .001% test environment (just now). So I'm pretty ignorant of 
the test environment, although I've spent 30+ years programming, only about 4 
has been in Python, and that not full time.

It is not clear to me, though, that the test you added:

    '/cgi-bin/file1.py/PATH-INFO': ('/cgi-bin', 'file1.py/PATH-INFO'),

should be the expected results of _url_collapse_path_split... 

I would expect 

    '/cgi-bin/file1.py/a/b/c/../../d': ('/cgi-bin/file1.py/a', 'd'),

but I don't think it would, with your present patch. It looks like it would 
return ('/cgi-bin', 'file1.py/a/b/c/../../d') which reintroduces the security 
problem: the '..' stuff has not been processed. I haven't applied your patch to 
actually run it, this is just from inspection, and I may have missed something.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue10484>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to