Somewhere between Python 3.3 and 3.4, a bug was introduced that forbids the "http.server" module, working in CGI server mode, to run scripts residing in subdirectories.This will break existing software that relies on this feature.How to reproduce the bug:1. Create a temporary directory and enter it.2. Create a directory "cgi-bin", and then directory "test" inside "cgi-bin".3. Create a file "test.py" in "cgi-bin/test" with the following contents (see also attachment to this bug report):print("""Content-type: text/plainCGI script executed successfully!""")4. When run, it should print the following:Content-type: text/plainCGI script executed successfully!5. Now, run Python 3.3 in CGI HTTP server mode:c:\Python33\python.exe -m http.server --cgi 8000A request to "http://localhost:8000/cgi-bin/test/test.py" then produces the following in the HTTP server log:Serving HTTP on 0.0.0.0 port 8000 ...127.0.0.1 - - [21/Apr/2014 22:59:11] "GET /cgi-bin/test/test.py HTTP/1.0" 200 -127.0.0.1 - - [21/Apr/2014 22:59:11] command: c:\Python33\python.exe -u C:\TMP\cgi-bin\test\test.py ""127.0.0.1 - - [21/Apr/2014 22:59:11] CGI script exited OK6. Now, try this with Python 3.4, and the request will fail with the following in the log:C:\TMP>c:\Python34\python.exe -m http.server --cgi 8000Serving HTTP on 0.0.0.0 port 8000 ...127.0.0.1 - - [21/Apr/2014 23:02:38] code 403, message CGI script is not a plain file ('/cgi-bin/test')127.0.0.1 - - [21/Apr/2014 23:02:38] "GET /cgi-bin/test/test.py HTTP/1.0" 403 -This _could_ be related to the change introduced byissue 19435, although I am not sure.Tested with Windows XP SP3.

Hi, I am curious about the fate of this issue -- whether it will be recognised as a bug (possibly a regression bug). Remember, it worked in Python 3.3 but stopped working in 3.4.

The change in behavior is definitely caused by the changes forIssue19435.  The code added there does not work correctly if there are nested directories in the "cgi-bin" directory; for one thing, the initial os.path.isdir(scriptdir) test in run_cgi is failing because the path in nextdir is missing the dir component: it's testing /path/to/test instead of /path/to/cgi-bin/test.  I didn't look further.  Along with a fix, there should be a test for nested directories.  And decide whether to fix the regression it presumably caused in the security branches as well.http://hg.python.org/cpython/file/d25ae22cc992/Lib/http/server.py#l1009

BTW, if someone is looking for an issue to help out with, this might be a good choice.

Hi, I'm new. I wrote a test for nested directories under cgi-bin and got that to pass without failing the test added for 19435 by undoing most of the changes to run_cgi() but building path from the values in self.cgi_info. Thoughts?

Zach, thanks for the patch and the test. Someone will review it in the coming days. In the meantime, if you haven't already, please review and submit the Python Contributor's Agreement:https://www.python.org/psf/contrib/contrib-form/ otherwise we won't be able to use your contribution.

The fix and test look good to me.  I'll apply it after Zach submits the contributor agreement.

Done and done.

New changesetd367ea865ea4 by Ned Deily in branch '2.7':Issue#21323: Fix CGIHTTPServer to again handle scripts in CGI subdirectories,http://hg.python.org/cpython/rev/d367ea865ea4New changeset4de94641ba3e by Ned Deily in branch '3.2':Issue#21323: Fix http.server to again handle scripts in CGI subdirectories,http://hg.python.org/cpython/rev/4de94641ba3eNew changesetb957f475e41e by Ned Deily in branch '3.3':Issue#21323: Fix http.server to again handle scripts in CGI subdirectories,http://hg.python.org/cpython/rev/b957f475e41eNew changeset385f4406dc26 by Ned Deily in branch '3.4':Issue#21323: Fix http.server to again handle scripts in CGI subdirectories,http://hg.python.org/cpython/rev/385f4406dc26New changeset22e5a85ba840 by Ned Deily in branch 'default':Issue#21323: Fix http.server to again handle scripts in CGI subdirectories,http://hg.python.org/cpython/rev/22e5a85ba840

Since the original changes forIssue19435 were also applied to branches in security fix mode, the fix here is applied to them as well, with the exception of 3.1 which has subsequently moved to end-of-life status.  Applied for release in 2.7.9, 3.2.6, 3.3.6, 3.4.2, and 3.5.0.  Thanks again, Konstantin and Zach.