[New-bugs-announce] [issue12289] http.server.CGIHTTPRequestHandler doesn't check if a Python script is executable
STINNER Victor
report at bugs.python.org
Thu Jun 9 01:47:27 CEST 2011
New submission from STINNER Victor <victor.stinner at haypocalc.com>:
CGIHTTPRequestHandler.run_cgi() only checks if the script processing the request is executable if the file is not a Python script, but later it uses os.execve(scriptfile, ...) if os has a fork() function.
Moreover, the executable() functions checks if os.stat(path).st_mode & 0o111 != 0: this test is wrong if st_mode & 0o111 != 0o111. For example, if the script has mode 0700 and is not owned by the current user, executable() returns True, whereas it should be False. os.access(filename, os.X_OK) should be used instead.
I found these issues while trying to understand the following failure on "FreeBSD 7.2 x86 3.x" buildbot:
[320/356/2] test_httpservers
Traceback (most recent call last):
File "/usr/home/db3l/buildarea/3.x.bolen-freebsd7/build/Lib/http/server.py", line 1123, in run_cgi
OSError: [Errno 13] Permission denied
(...)
I don't understand how it happens because test_httpservers uses os.chmod(script, 0o777).
----------
components: Library (Lib)
messages: 137930
nosy: haypo
priority: normal
severity: normal
status: open
title: http.server.CGIHTTPRequestHandler doesn't check if a Python script is executable
versions: Python 2.7, Python 3.2, Python 3.3
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12289>
_______________________________________
More information about the New-bugs-announce
mailing list