CGI directory traversal (URL parsing)

An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.


  • Disclosure date: 2013-10-29 (Python issue bpo-19435 reported)

Fixed In

Python issue

Directory traversal attack for CGIHTTPRequestHandler.

  • Python issue: bpo-19435
  • Creation date: 2013-10-29
  • Reporter: Alexander Kruppa


Timeline using the disclosure date 2013-10-29 as reference: