|
18 | 18 | # |
19 | 19 |
|
20 | 20 | from . import apache |
21 | | -import imp |
| 21 | +import importlib.util |
22 | 22 | import os |
23 | 23 | import sys |
24 | 24 |
|
@@ -86,24 +86,35 @@ def handler(req): |
86 | 86 | # simulate cgi environment |
87 | 87 | env, si, so = apache.setup_cgi(req) |
88 | 88 |
|
| 89 | + scriptPath = os.path.join(dir, file) |
| 90 | + |
| 91 | + if not os.path.exists(scriptPath): |
| 92 | + raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND) |
| 93 | + |
| 94 | + # avoid loading modules outside dir |
| 95 | + # (e.g. shenaningans like ../../../../etc/passwd) |
| 96 | + scriptPath = os.path.abspath(scriptPath) |
| 97 | + if not scriptPath.startswith(dir): |
| 98 | + raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND) |
| 99 | + |
89 | 100 | try: |
90 | 101 | # we do not search the pythonpath (security reasons) |
91 | | - fd, path, desc = imp.find_module(module_name, [dir]) |
92 | | - except ImportError: |
| 102 | + spec = importlib.util.spec_from_file_location(module_name, scriptPath) |
| 103 | + except (ModuleNotFoundError, ValueError): |
93 | 104 | raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND) |
94 | 105 |
|
95 | | - # this executes the module |
96 | | - imp.load_module(module_name, fd, path, desc) |
| 106 | + if spec is None: |
| 107 | + raise apache.SERVER_RETURN(apache.HTTP_NOT_FOUND) |
| 108 | + |
| 109 | + module = importlib.util.module_from_spec(spec) |
| 110 | + sys.modules[module_name] = module |
| 111 | + spec.loader.exec_module(module) |
97 | 112 |
|
98 | 113 | return apache.OK |
99 | 114 |
|
100 | 115 | finally: |
101 | 116 | # unsimulate the cgi environment |
102 | 117 | apache.restore_nocgi(env, si, so) |
103 | | - try: |
104 | | - fd.close() |
105 | | - except: pass |
106 | 118 | os.chdir(cwd) |
107 | 119 | finally: |
108 | 120 | _lock.release() |
109 | | - |
|
0 commit comments