[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Roundup Robot]

Roundup Robot added the comment:

New changeset 634fe6a90e0c by Martin Panter in branch '3.4':
Issue #24657: Prevent CGIRequestHandler from collapsing the URL query
https://hg.python.org/cpython/rev/634fe6a90e0c

New changeset ba1e3c112e42 by Martin Panter in branch '3.5':
Issues #25232, #24657: Merge two CGI server fixes from 3.4 into 3.5
https://hg.python.org/cpython/rev/ba1e3c112e42

New changeset 88918f2a54df by Martin Panter in branch '3.5':
Issues #25232, #24657: Use new enum status to match rest of tests
https://hg.python.org/cpython/rev/88918f2a54df

New changeset 0f03023d4318 by Martin Panter in branch 'default':
Issues #25232, #24657: Merge two CGI server fixes from 3.5
https://hg.python.org/cpython/rev/0f03023d4318

New changeset 3c006ee38287 by Martin Panter in branch 'default':
Issues #25232, #24657: Add NEWS to 3.6.0a1 section
https://hg.python.org/cpython/rev/3c006ee38287

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Roundup Robot]

Roundup Robot added the comment:

New changeset a4302005f9a2 by Martin Panter in branch '2.7':
Issue #24657: Prevent CGIRequestHandler from collapsing the URL query
https://hg.python.org/cpython/rev/a4302005f9a2

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Martin Panter]

Martin Panter added the comment:

Thanks everyone for the reports and patches. There were a couple of subtle 
compatibility tweaks needed for the 3.4 and 2.7 branches, but I think I got 
them all.

--
resolution:  -> fixed
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Martin Panter]

Changes by Martin Panter :


--
stage: commit review -> resolved

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Xiang Zhang]

Xiang Zhang added the comment:

Yes, there seems to still exist some defects not conforming to the
specification. I would like to investigate it. Maybe I can propose
a patch for it.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Martin Panter]

Changes by Martin Panter :


--
assignee:  -> martin.panter
nosy: +berker.peksag
stage: patch review -> commit review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Martin Panter]

Martin Panter added the comment:

The patch looks like it will fix this particular bug without much negative 
impact. However there are plenty of other problems with this module’s URL 
handling, see Issue 14567. I think the translate_path(), _url_collapse_path(), 
is_cgi(), run_cgi(), etc functions all need a good rewrite.

Anyway it might be worth going ahead and committing this straight away, whether 
or not anyone is motivated to fix the wider issue later on.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Xiang Zhang]

Xiang Zhang added the comment:

The path with query component are unquoted entirely and then pass into
_url_collapse_path.
I think this behaviour is wrong and according to rfc3875 query component
should be left encoded in QUERY_STRING.
This patch seems to solve the problem. It passes the tests and with
martin's script, it gets:

('QUERY_STRING', 'k=aa%2F%2Fbb&//q//p//=//a//b//')

has the same behaviour with apache.

--
keywords: +patch
Added file: http://bugs.python.org/file40573/cgihandler.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Martin Panter]

Martin Panter added the comment:

It would be good to have a regression test case for this one too.

--
stage: needs patch -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Xiang Zhang]

Xiang Zhang added the comment:

Add the testcase and use str.partition.

--
Added file: http://bugs.python.org/file40585/cgihander.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Xiang Zhang]

Xiang Zhang added the comment:

I think this is a bug. 

According to the rfcs, "/" is a reserved character in query component and 
continuous "/" in query component may be invalid and how to deal with it 
depends on the server. But encoded "/", %2F, acts as data and should be 
preserved. And from rfc3875, QUERY_STRING must be passed encoded.

I tested in apache2.4 with martin's script, query string is:

('QUERY_STRING', 'k=aa%2F%2Fbb&//q//p//=//a//b//')

In python's CGI server, it is:

('QUERY_STRING', 'k=aa/bb&/q/p/=/a/b/'),

--
nosy: +xiang.zhang

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[takayuki]

takayuki added the comment:

This bug seems to remain in Python 3.5.0.

How to reproduce:

1. Save the attached cgitest.py into cgi-bin directory and changed it to 
executable file by "chmod +x cgitest.py"

2. Run CGIHTTPRequestHandler
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import http.server
>>> http.server.test(HandlerClass=http.server.CGIHTTPRequestHandler)

3. Visit http://localhost:8000/cgi-bin/cgitest.py by any browser.

4. Input "a/b/c//d//e///f///g" to form named "p".

5. The continuous slash letters are trimed and "a/b/c/d/e/f/g" is given to 
cgitest.py.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[Martin Panter]

Martin Panter added the comment:

Yes it also seems to apply to Python 3.

Perhaps you forgot your test script, so I made my own. After running

python3 -m http.server --cgi

The response from the following URL has no double slashes to be seen:

http://localhost:8000/cgi-bin/test.py//x//y//?k=aa%2F%2Fbb&//q//p//=//a//b//

I am not a CGI expert, but I suspect the query string bits should have double 
slashes, but maybe the PATH_INFO is right not to (see RFC 3875).

--
nosy: +martin.panter
stage:  -> needs patch
type:  -> behavior
versions: +Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file40541/test.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24657] CGIHTTPServer module discard continuous '/' letters from params given by GET method.

[takayuki]

New submission from takayuki:

I executed CGIHTTPServer and requested the following URI,
http://localhost:8000/cgi-bin/test.py?k=aa%2F%2Fbb;
to pass aa//bb as argument k,
but test.py received aa/bb.

I looked in CGIHTTPServer.py and found _url_collapse_path function
discards continuous slash letters even they are in the given parameters.

--
components: Library (Lib)
messages: 246877
nosy: takayuki
priority: normal
severity: normal
status: open
title: CGIHTTPServer module discard continuous '/' letters from params given by 
GET method.
versions: Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24657
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com