File CVE-2014-4650-CGIHTTPServer-traversal.patch of Package python.openSUSE_12.3_Update

# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1402796189 25200
# Node ID b4bab078876811c7d95231d08aa6fa7142fdda66
# Parent  bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef
url unquote the path before checking if it refers to a CGI script (closes #21766)

Index: Python-2.7.3/Lib/CGIHTTPServer.py
===================================================================
--- Python-2.7.3.orig/Lib/CGIHTTPServer.py	2014-08-06 14:41:46.842520853 +0200
+++ Python-2.7.3/Lib/CGIHTTPServer.py	2014-08-06 14:42:23.557756488 +0200
@@ -84,7 +84,7 @@
         path begins with one of the strings in self.cgi_directories
         (and the next character is a '/' or the end of the string).
         """
-        splitpath = _url_collapse_path_split(self.path)
+        splitpath = _url_collapse_path_split(urllib.unquote(self.path))
         if splitpath[0] in self.cgi_directories:
             self.cgi_info = splitpath
             return True
Index: Python-2.7.3/Lib/test/test_httpservers.py
===================================================================
--- Python-2.7.3.orig/Lib/test/test_httpservers.py	2014-08-06 14:41:39.113471276 +0200
+++ Python-2.7.3/Lib/test/test_httpservers.py	2014-08-06 14:41:46.842520853 +0200
@@ -495,6 +495,11 @@
                 (res.read(), res.getheader('Content-type'), res.status))
         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
 
 class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
     """ Test url parsing """