[issue10484] http.server.is_cgi fails to handle CGI URLs containing PATH_INFO
Glenn Linderman
report at bugs.python.org
Fri Mar 16 09:43:23 CET 2012
Glenn Linderman <v+python at g.nevcal.com> added the comment:
Another issue with the patch, is that it doesn't do .. and . collapsing on the PATH_INFO part of the path.
It is possible for a path like
/cgi-bin/script.py/../../plain-file.html
to be passed to the server. I guess the question is if it should serve plain-file.html or if it should pass "../../plain-file.html" to script.py as its PATH_INFO. I would think the former would be appropriate. I would have to do research to determine if some standard states otherwise.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10484>
_______________________________________
More information about the Python-bugs-list
mailing list