Issue #24657: Prevent CGIRequestHandler from collapsing the URL query
Initial patch from Xiang Zhang. Also fix out-of-date _url_collapse_path() doc
string.
diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py
index 7a4593e..5620083 100644
--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
@@ -84,7 +84,7 @@
path begins with one of the strings in self.cgi_directories
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(urllib.unquote(self.path))
+ collapsed_path = _url_collapse_path(self.path)
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
@@ -304,13 +304,15 @@
The utility of this function is limited to is_cgi method and helps
preventing some security attacks.
- Returns: A tuple of (head, tail) where tail is everything after the final /
- and head is everything before it. Head will always start with a '/' and,
- if it contains anything else, never have a trailing '/'.
+ Returns: The reconstituted URL, which will always start with a '/'.
Raises: IndexError if too many '..' occur within the path.
"""
+ # Query component should not be involved.
+ path, _, query = path.partition('?')
+ path = urllib.unquote(path)
+
# Similar to os.path.split(os.path.normpath(path)) but specific to URL
# path semantics rather than local operating system semantics.
path_parts = path.split('/')
@@ -331,6 +333,9 @@
else:
tail_part = ''
+ if query:
+ tail_part = '?'.join((tail_part, query))
+
splitpath = ('/' + '/'.join(head_parts), tail_part)
collapsed_path = "/".join(splitpath)