CGI directory traversal (URL parsing)¶
An error in separating the path and filename of the CGI script to run in
http.server.CGIHTTPRequestHandler
allows running arbitrary executables
in the directory under which the server was started.
- Disclosure date: 2013-10-29 (Python issue bpo-19435 reported)
Fixed In¶
- Python 2.7.6 (2013-11-10) fixed by commit 1ef959a (branch 2.7) (2013-10-30)
- Python 3.2.6 (2014-10-11) fixed by commit 04e9de4 (branch 3.2) (2013-10-30)
- Python 3.3.4 (2014-02-09) fixed by commit 04e9de4 (branch 3.2) (2013-10-30)
- Python 3.4.0 (2014-03-16) fixed by commit 04e9de4 (branch 3.2) (2013-10-30)
Python issue¶
Directory traversal attack for CGIHTTPRequestHandler.
- Python issue: bpo-19435
- Creation date: 2013-10-29
- Reporter: Alexander Kruppa
Timeline¶
Timeline using the disclosure date 2013-10-29 as reference:
- 2013-10-29: Python issue bpo-19435 reported by Alexander Kruppa
- 2013-10-30 (+1 days): commit 04e9de4 (branch 3.2)
- 2013-10-30 (+1 days): commit 1ef959a (branch 2.7)
- 2013-11-10 (+12 days): Python 2.7.6 released
- 2014-02-09 (+103 days): Python 3.3.4 released
- 2014-03-16: Python 3.4.0 released
- 2014-10-11 (+347 days): Python 3.2.6 released