1 files changed, 26 insertions, 4 deletions

diff --git a/WebKitTools/pywebsocket/mod_pywebsocket/standalone.py b/WebKitTools/pywebsocket/mod_pywebsocket/standalone.py
index 0e6a349..8628ff9 100644
--- a/WebKitTools/pywebsocket/mod_pywebsocket/standalone.py
+++ b/WebKitTools/pywebsocket/mod_pywebsocket/standalone.py
@@ -58,6 +58,7 @@ used for each request.
 """
 
 import BaseHTTPServer
+import CGIHTTPServer
 import SimpleHTTPServer
 import SocketServer
 import logging
@@ -202,8 +203,8 @@ class WebSocketServer(SocketServer.ThreadingMixIn, BaseHTTPServer.HTTPServer):
         # trailing comma.
 
 
-class WebSocketRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
-    """SimpleHTTPRequestHandler specialized for Web Socket."""
+class WebSocketRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler):
+    """CGIHTTPRequestHandler specialized for Web Socket."""
 
     def setup(self):
         """Override SocketServer.StreamRequestHandler.setup."""
@@ -222,7 +223,7 @@ class WebSocketRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
         self._handshaker = handshake.Handshaker(
                 self._request, self._dispatcher,
                 WebSocketRequestHandler.options.strict)
-        SimpleHTTPServer.SimpleHTTPRequestHandler.__init__(
+        CGIHTTPServer.CGIHTTPRequestHandler.__init__(
                 self, *args, **keywords)
 
     def _print_warnings_if_any(self):
@@ -236,7 +237,7 @@ class WebSocketRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
 
         Return True to continue processing for HTTP(S), False otherwise.
         """
-        result = SimpleHTTPServer.SimpleHTTPRequestHandler.parse_request(self)
+        result = CGIHTTPServer.CGIHTTPRequestHandler.parse_request(self)
         if result:
             try:
                 self._handshaker.do_handshake()
@@ -268,6 +269,16 @@ class WebSocketRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
         # For example, HTTP status code is logged by this method.
         logging.warn('%s - %s' % (self.address_string(), (args[0] % args[1:])))
 
+    def is_cgi(self):
+        """Test whether self.path corresponds to a CGI script.
+
+        Add extra check that self.path doesn't contains .."""
+        if CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self):
+            if '..' in self.path:
+                return False
+            return True
+        return False
+
 
 def _configure_logging(options):
     logger = logging.getLogger()
@@ -329,6 +340,12 @@ def _main():
     parser.add_option('-d', '--document_root', dest='document_root',
                       default='.',
                       help='Document root directory.')
+    parser.add_option('-x', '--cgi_paths', dest='cgi_paths',
+                      default=None,
+                      help=('CGI paths relative to document_root.'
+                            'Comma-separated. (e.g -x /cgi,/htbin) '
+                            'Files under document_root/cgi_path are handled '
+                            'as CGI programs. Must be executable.'))
     parser.add_option('-t', '--tls', dest='use_tls', action='store_true',
                       default=False, help='use TLS (wss://)')
     parser.add_option('-k', '--private_key', dest='private_key',
@@ -359,6 +376,11 @@ def _main():
     _configure_logging(options)
 
     SocketServer.TCPServer.request_queue_size = options.request_queue_size
+    CGIHTTPServer.CGIHTTPRequestHandler.cgi_directories = []
+
+    if options.cgi_paths:
+        CGIHTTPServer.CGIHTTPRequestHandler.cgi_directories = \
+            options.cgi_paths.split(',')
 
     if options.use_tls:
         if not _HAS_OPEN_SSL: