Sep 15, 2023 · Sep 13, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
   Note that CGI scripts will be run with UID of user nobody, for security
   reasons.  Problems with the CGI script will be translated to error 403.

   .. deprecated-removed:: 3.13 3.15

      :class:`CGIHTTPRequestHandler` is being removed in 3.15.  CGI has not
      been considered a good way to do things for well over a decade. This code
      has been unmaintained for a while now and sees very little practical use.
      Retaining it could lead to further :ref:`security considerations
      <http.server-security>`.

 :class:`CGIHTTPRequestHandler` can be enabled in the command line by passing
 the ``--cgi`` option::

        python -m http.server --cgi

 .. deprecated-removed:: 3.13 3.15

   :mod:`http.server` command line ``--cgi`` support is being removed
   because :class:`CGIHTTPRequestHandler` is being removed.

 .. _http.server-security:

 Security Considerations
diff --git a/Lib/http/server.py b/Lib/http/server.py

 Note: BaseHTTPRequestHandler doesn't implement any HTTP request; see
 SimpleHTTPRequestHandler for simple implementations of GET, HEAD and POST,
 and CGIHTTPRequestHandler for CGI scripts.
 and(deprecated)CGIHTTPRequestHandler for CGI scripts.

 It does, however, optionally implement HTTP/1.1 persistent connections,
 as of version 0.3.
 It does, however, optionally implement HTTP/1.1 persistent connections.

 Notes on CGIHTTPRequestHandler
 ------------------------------

 This class implements GET and POST requests to cgi-bin scripts.
 This classis deprecated. Itimplements GET and POST requests to cgi-bin scripts.

 If the os.fork() function is not present (e.g. on Windows),
 subprocess.Popen() is used as a fallback, with slightly altered semantics.
 If the os.fork() function is not present (Windows), subprocess.Popen() is used,
 with slightly altered but never documented semantics.  Use from a threaded
 process is likely to trigger a warning at os.fork() time.

 In all cases, the implementation is intentionally naive -- all
 requests are executed synchronously.

    """

    def __init__(self, *args, **kwargs):
        import warnings
        warnings._deprecated("http.server.CGIHTTPRequestHandler",
                             remove=(3, 15))
        super().__init__(*args, **kwargs)

    # Determine platform specifics
    have_fork = hasattr(os, 'fork')

diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
        "This test can't be run reliably as root (issue #13308).")
 class CGIHTTPServerTestCase(BaseTestCase):
    class request_handler(NoLogRequestHandler, CGIHTTPRequestHandler):
        pass
        _test_case_self = None  # populated by each setUp() method call.

        def __init__(self, *args, **kwargs):
            with self._test_case_self.assertWarnsRegex(
                    DeprecationWarning,
                    r'http\.server\.CGIHTTPRequestHandler'):
                # This context also happens to catch and silence the
                # threading DeprecationWarning from os.fork().
                super().__init__(*args, **kwargs)

    linesep = os.linesep.encode('ascii')

    def setUp(self):
        self.request_handler._test_case_self = self  # practical, but yuck.
        BaseTestCase.setUp(self)
        self.cwd = os.getcwd()
        self.parent_dir = tempfile.mkdtemp()
        os.chdir(self.parent_dir)

    def tearDown(self):
        self.request_handler._test_case_self = None
        try:
            os.chdir(self.cwd)
            if self._pythonexe_symlink:
diff --git a/Misc/NEWS.d/next/Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst b/Misc/NEWS.d/next/Library/2023-09-15-12-20-23.gh-issue-109096.VksX1D.rst
 :class:`http.server.CGIHTTPRequestHandler` has been deprecated for removal
 in 3.15.  Its design is old and the web world has long since moved beyond
 CGI.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -502,11 +502,24 @@ following command runs an HTTP/1.1 conformant server::
		Note that CGI scripts will be run with UID of user nobody, for security
		reasons. Problems with the CGI script will be translated to error 403.

		.. deprecated-removed:: 3.13 3.15

		:class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not
		been considered a good way to do things for well over a decade. This code
		has been unmaintained for a while now and sees very little practical use.
		Retaining it could lead to further :ref:`security considerations
		<http.server-security>`.

		:class:`CGIHTTPRequestHandler` can be enabled in the command line by passing
		the ``--cgi`` option::

		python -m http.server --cgi

		.. deprecated-removed:: 3.13 3.15

		:mod:`http.server` command line ``--cgi`` support is being removed
		because :class:`CGIHTTPRequestHandler` is being removed.

		.. _http.server-security:

		Security Considerations
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,18 +2,18 @@

		Note: BaseHTTPRequestHandler doesn't implement any HTTP request; see
		SimpleHTTPRequestHandler for simple implementations of GET, HEAD and POST,
		and CGIHTTPRequestHandler for CGI scripts.
		and(deprecated)CGIHTTPRequestHandler for CGI scripts.

		It does, however, optionally implement HTTP/1.1 persistent connections,
		as of version 0.3.
		It does, however, optionally implement HTTP/1.1 persistent connections.

		Notes on CGIHTTPRequestHandler
		------------------------------

		This class implements GET and POST requests to cgi-bin scripts.
		This classis deprecated. Itimplements GET and POST requests to cgi-bin scripts.

		If the os.fork() function is not present (e.g. on Windows),
		subprocess.Popen() is used as a fallback, with slightly altered semantics.
		If the os.fork() function is not present (Windows), subprocess.Popen() is used,
		with slightly altered but never documented semantics. Use from a threaded
		process is likely to trigger a warning at os.fork() time.

		In all cases, the implementation is intentionally naive -- all
		requests are executed synchronously.
Expand DownExpand Up		@@ -986,6 +986,12 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):

		"""

		def __init__(self, args, *kwargs):
		import warnings
		warnings._deprecated("http.server.CGIHTTPRequestHandler",
		remove=(3, 15))
		super().__init__(args, *kwargs)

		# Determine platform specifics
		have_fork = hasattr(os, 'fork')

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -699,11 +699,20 @@ def test_html_escape_filename(self):
		"This test can't be run reliably as root (issue #13308).")
		class CGIHTTPServerTestCase(BaseTestCase):
		class request_handler(NoLogRequestHandler, CGIHTTPRequestHandler):
		pass
		_test_case_self = None # populated by each setUp() method call.

		def __init__(self, args, *kwargs):
		with self._test_case_self.assertWarnsRegex(
		DeprecationWarning,
		r'http\.server\.CGIHTTPRequestHandler'):
		# This context also happens to catch and silence the
		# threading DeprecationWarning from os.fork().
		super().__init__(args, *kwargs)

		linesep = os.linesep.encode('ascii')

		def setUp(self):
		self.request_handler._test_case_self = self # practical, but yuck.
		BaseTestCase.setUp(self)
		self.cwd = os.getcwd()
		self.parent_dir = tempfile.mkdtemp()
Expand DownExpand Up		@@ -780,6 +789,7 @@ def setUp(self):
		os.chdir(self.parent_dir)

		def tearDown(self):
		self.request_handler._test_case_self = None
		try:
		os.chdir(self.cwd)
		if self._pythonexe_symlink:
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		:class:`http.server.CGIHTTPRequestHandler` has been deprecated for removal
		in 3.15. Its design is old and the web world has long since moved beyond
		CGI.