stackoom
  简体   繁体   中英

Why does Python CGIHTTPServer on Ubuntu return my script if GET parameter has a slash character?

 原文  2015-09-20 10:13:45       python/ ubuntu/ cgi

Question

I'm trying to run some basic CGI with CGIHTTPServer. I want to pass a parameter with special characters in (specifically URLs, but I don't think this matters particularly). My set up works with POST, but not with GET. GET returns the contents of my CGI script instead. What am I doing wrong?

I'm getting this issue on Ubuntu 12.04 with Python 2.7.3. Running the same code on Windows or Raspbian works ok.

Here's my examples. My HTTP server is here, as server.py: 

#!/usr/bin/python

import BaseHTTPServer
import CGIHTTPServer

PORT = 8888

server = BaseHTTPServer.HTTPServer
Handler = CGIHTTPServer.CGIHTTPRequestHandler

httpd = server(("", PORT), Handler)
httpd.serve_forever()

My web page, testcgi.html, looks like this: 

<html>
<body>
<form method="get" action="/cgi-bin/testcgi.py">
<textarea name="comments" cols="20" rows="2">
Type message to GET here...
</textarea>
<br/>
<input type="submit" value="Test CGI GET">
</form>
<form method="post" action="/cgi-bin/testcgi.py">
<textarea name="comments" cols="20" rows="2">
Type message to POST here...
</textarea>
<br/>
<input type="submit" value="Test CGI POST">
</form>
</body>
</html>

...and my cgi script is testcgi.py, not sure this matters but here it is: 

#!/usr/bin/python
#testcgi.py

import cgi

form = cgi.FieldStorage()

val1 = form.getvalue('comments')

print """
<html>
The form input is below...<br/>
</html>"""
print val1

The output I get (running server.py on Ubuntu) is as follows. GET or POST with input of "Hello Goodbye": 

The form input is below...
Hello Goodbye

POST with the input "Hello/Goodbye": 

The form input is below...
Hello/Goodbye

GET with the input "Hello/Goodbye" returns the contents of the file testcgi.py as above.

As far as I can tell, other special characters (\\ : % & and so on) all work ok.

1 answers

solution1
 0 ACCPTED  2015-09-20 10:32:32

You have re-discovered a security issue with the older Python version you are running. See issue #21766 ; Python 2.7.6 and newer include the fix.

The CGIHTTPServer.CGIHTTPRequestHandler.is_cgi() method does not URL-decode the URL path before checking if it is a CGI script that is referenced.

The bug report contains a work-around, but be advised that since 2.7.3 was released the module has had several related bugs fixed before and since that security issue was reported. You may want to just grab the latest revision from the Python mercurial repositories; there have been several other fixes since 2.7.3 was tagged on 2013/04/09 you'll want to have.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CGIHTTPServer and Python script Why does my Ubuntu freeze after launching python script? Access Request Parameters in invoked script of Python CGIHTTPServer Why does my Python script return an object as a string why does setting an initial environment using env stall the launch of my Python script on Ubuntu? Why does my python script randomly get killed? My character has stopped jumping in this pygame script, why? HTML5 Server-sent events with Python cgi script on CGIHTTPServer Does Python CGIHTTPServer decode plus sign(+) in URL into blank space? Why does this python script only work from IDLE on Ubuntu 12.04?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM