Commits

anatoly techtonik committed 3f45045

do not allow CGIHTTPServer to modify os.environ of parent process

  • Participants
  • Parent commits 9ebf894

Comments (0)

Files changed (1)

9272.CGIHTTPServer-poisons-os.environ.patch

+# HG changeset patch
+# Parent 131b45a57b05c71965b164752baf8a4a810a56cd
+do not allow CGIHTTPServer to meddle with parent os.environ
+
+diff -r 131b45a57b05 Lib/CGIHTTPServer.py
+--- a/Lib/CGIHTTPServer.py	Thu Jul 15 20:48:37 2010 +0300
++++ b/Lib/CGIHTTPServer.py	Fri Jul 16 11:51:47 2010 +0300
+@@ -29,6 +29,7 @@
+ import BaseHTTPServer
+ import SimpleHTTPServer
+ import select
++import copy
+ 
+ 
+ class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
+@@ -154,7 +155,7 @@
+ 
+         # Reference: http://hoohoo.ncsa.uiuc.edu/cgi/env.html
+         # XXX Much of the following could be prepared ahead of time!
+-        env = {}
++        env = copy.deepcopy(os.environ)
+         env['SERVER_SOFTWARE'] = self.version_string()
+         env['SERVER_NAME'] = self.server.server_name
+         env['GATEWAY_INTERFACE'] = 'CGI/1.1'
+@@ -216,7 +217,6 @@
+         for k in ('QUERY_STRING', 'REMOTE_HOST', 'CONTENT_LENGTH',
+                   'HTTP_USER_AGENT', 'HTTP_COOKIE', 'HTTP_REFERER'):
+             env.setdefault(k, "")
+-        os.environ.update(env)
+ 
+         self.send_response(200, "Script output follows")
+ 
+@@ -248,7 +248,7 @@
+                     pass
+                 os.dup2(self.rfile.fileno(), 0)
+                 os.dup2(self.wfile.fileno(), 1)
+-                os.execve(scriptfile, args, os.environ)
++                os.execve(scriptfile, args, env)
+             except:
+                 self.server.handle_error(self.request, self.client_address)
+                 os._exit(127)
+@@ -274,7 +274,8 @@
+             p = subprocess.Popen(cmdline,
+                                  stdin = subprocess.PIPE,
+                                  stdout = subprocess.PIPE,
+-                                 stderr = subprocess.PIPE
++                                 stderr = subprocess.PIPE,
++                                 env = env
+                                 )
+             if self.command.lower() == "post" and nbytes > 0:
+                 data = self.rfile.read(nbytes)