.. _cgi-directory-traversal-url-parsing: CGI directory traversal (URL parsing) ===================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. An error in separating the path and filename of the CGI script to run in ``http.server.CGIHTTPRequestHandler`` allows running arbitrary executables in the directory under which the server was started. Dates: * Disclosure date: **2013-10-29** (Python issue bpo-19435 reported) Fixed In -------- * Python **2.7.6** (2013-11-10) fixed by `commit 1ef959a (branch 2.7) `_ (2013-10-30) * Python **3.2.6** (2014-10-12) fixed by `commit 04e9de4 (branch 3.2) `_ (2013-10-30) * Python **3.3.4** (2014-02-09) fixed by `commit 04e9de4 (branch 3.2) `_ (2013-10-30) * Python **3.4.0** (2014-03-16) fixed by `commit 04e9de4 (branch 3.2) `_ (2013-10-30) Python issue ------------ Directory traversal attack for CGIHTTPRequestHandler. * Python issue: `bpo-19435 `_ * Creation date: 2013-10-29 * Reporter: Alexander Kruppa Timeline -------- Timeline using the disclosure date **2013-10-29** as reference: * 2013-10-29: `Python issue bpo-19435 `_ reported by Alexander Kruppa * 2013-10-30 (**+1 days**): `commit 04e9de4 (branch 3.2) `_ * 2013-10-30 (**+1 days**): `commit 1ef959a (branch 2.7) `_ * 2013-11-10 (**+12 days**): Python 2.7.6 released * 2014-02-09 (**+103 days**): Python 3.3.4 released * 2014-03-16: Python 3.4.0 released * 2014-10-12 (**+348 days**): Python 3.2.6 released