May 17, 2025 · May 10, 2025 · May 10, 2025 · May 10, 2025 · May 11, 2025 · May 11, 2025
diff --git a/Doc/deprecations/pending-removal-in-3.15.rst b/Doc/deprecations/pending-removal-in-3.15.rst

 * :mod:`http.server`:

  * The obsolete and rarely used :class:`~http.server.CGIHTTPRequestHandler`
  * The obsolete and rarely used :class:`!http.server.CGIHTTPRequestHandler`
    has been deprecated since Python 3.13.
    No direct replacement exists.
    *Anything* is better than CGI to interface
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
 :attr:`index_pages`.


 .. class:: CGIHTTPRequestHandler(request, client_address, server)

   This class is used to serve either files or output of CGI scripts from the
   current directory and below. Note that mapping HTTP hierarchic structure to
   local directory structure is exactly as in :class:`SimpleHTTPRequestHandler`.

   .. note::

      CGI scripts run by the :class:`CGIHTTPRequestHandler` class cannot execute
      redirects (HTTP code 302), because code 200 (script output follows) is
      sent prior to execution of the CGI script.  This pre-empts the status
      code.

   The class will however, run the CGI script, instead of serving it as a file,
   if it guesses it to be a CGI script.  Only directory-based CGI are used ---
   the other common server configuration is to treat special extensions as
   denoting CGI scripts.

   The :func:`do_GET` and :func:`do_HEAD` functions are modified to run CGI scripts
   and serve the output, instead of serving files, if the request leads to
   somewhere below the ``cgi_directories`` path.

   The :class:`CGIHTTPRequestHandler` defines the following data member:

   .. attribute:: cgi_directories

      This defaults to ``['/cgi-bin', '/htbin']`` and describes directories to
      treat as containing CGI scripts.

   The :class:`CGIHTTPRequestHandler` defines the following method:

   .. method:: do_POST()

      This method serves the ``'POST'`` request type, only allowed for CGI
      scripts.  Error 501, "Can only POST to CGI scripts", is output when trying
      to POST to a non-CGI url.

   Note that CGI scripts will be run with UID of user nobody, for security
   reasons.  Problems with the CGI script will be translated to error 403.

   .. deprecated-removed:: 3.13 3.15

      :class:`CGIHTTPRequestHandler` is being removed in 3.15.  CGI has not
      been considered a good way to do things for well over a decade. This code
      has been unmaintained for a while now and sees very little practical use.
      Retaining it could lead to further :ref:`security considerations
      <http.server-security>`.


 .. _http-server-cli:

 Command-line interface

   .. versionadded:: 3.11

 .. option:: --cgi

   :class:`CGIHTTPRequestHandler` can be enabled in the command line by passing
   the ``--cgi`` option::

      python -m http.server --cgi

   .. deprecated-removed:: 3.13 3.15

      :mod:`http.server` command line ``--cgi`` support is being removed
      because :class:`CGIHTTPRequestHandler` is being removed.

 .. warning::

   :class:`CGIHTTPRequestHandler` and the ``--cgi`` command-line option
   are not intended for use by untrusted clients and may be vulnerable
   to exploitation. Always use within a secure environment.

 .. option:: --tls-cert

   Specifies a TLS certificate chain for HTTPS connections::
diff --git a/Doc/whatsnew/3.13.rst b/Doc/whatsnew/3.13.rst

 * :mod:`http.server`:

  * Deprecate :class:`~http.server.CGIHTTPRequestHandler`,
  * Deprecate :class:`!http.server.CGIHTTPRequestHandler`,
    to be removed in Python 3.15.
    Process-based CGI HTTP servers have been out of favor for a very long time.
    This code was outdated, unmaintained, and rarely used.
diff --git a/Doc/whatsnew/3.15.rst b/Doc/whatsnew/3.15.rst
 Removed
 =======

 http.server
 -----------

 * Removed the :class:`!http.server.CGIHTTPRequestHandler` class
  and the ``--cgi`` flag to the :program:`python -m http.server`
  command-line interface. Those are deprecated since Python 3.13.
  (Contributed by Bénédikt Tran in :gh:`133810`.)


 sysconfig
 ---------

diff --git a/Lib/_compat_pickle.py b/Lib/_compat_pickle.py
    'SimpleDialog': 'tkinter.simpledialog',
    'DocXMLRPCServer': 'xmlrpc.server',
    'SimpleHTTPServer': 'http.server',
    'CGIHTTPServer': 'http.server',
    # For compatibility with broken pickles saved in old Python 3 versions
    'UserDict': 'collections',
    'UserList': 'collections',
        ('DocXMLRPCServer', 'DocCGIXMLRPCRequestHandler'),
    ('http.server', 'SimpleHTTPRequestHandler'):
        ('SimpleHTTPServer', 'SimpleHTTPRequestHandler'),
    ('http.server', 'CGIHTTPRequestHandler'):
        ('CGIHTTPServer', 'CGIHTTPRequestHandler'),
    ('_socket', 'socket'): ('socket', '_socketobject'),
 })

diff --git a/Lib/http/client.py b/Lib/http/client.py
    return enc_name

 class HTTPMessage(email.message.Message):
    # XXX The only usage of this method is in
    # http.server.CGIHTTPRequestHandler.  Maybe move the code there so
    # that it doesn't need to be part of the public API.  The API has
    # never been defined so this could cause backwards compatibility
    # issues.

    # The getallmatchingheaders() method was only used by the CGI handler
    # that was removed in Python 3.15. However, since the public API was not
    # properly defined, it will be kept for backwards compatibility reasons.

    def getallmatchingheaders(self, name):
        """Find all header lines matching a given header name.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -20,7 +20,7 @@ Pending removal in Python 3.15

		* :mod:`http.server`:

		* The obsolete and rarely used :class:`~http.server.CGIHTTPRequestHandler`
		* The obsolete and rarely used :class:`!http.server.CGIHTTPRequestHandler`
picnixz marked this conversation as resolved. Show resolvedHide resolved
		has been deprecated since Python 3.13.
		No direct replacement exists.
		Anything is better than CGI to interface
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -459,55 +459,6 @@ such as using different index file names by overriding the class attribute
		:attr:`index_pages`.


		.. class:: CGIHTTPRequestHandler(request, client_address, server)

		This class is used to serve either files or output of CGI scripts from the
		current directory and below. Note that mapping HTTP hierarchic structure to
		local directory structure is exactly as in :class:`SimpleHTTPRequestHandler`.

		.. note::

		CGI scripts run by the :class:`CGIHTTPRequestHandler` class cannot execute
		redirects (HTTP code 302), because code 200 (script output follows) is
		sent prior to execution of the CGI script. This pre-empts the status
		code.

		The class will however, run the CGI script, instead of serving it as a file,
		if it guesses it to be a CGI script. Only directory-based CGI are used ---
		the other common server configuration is to treat special extensions as
		denoting CGI scripts.

		The :func:`do_GET` and :func:`do_HEAD` functions are modified to run CGI scripts
		and serve the output, instead of serving files, if the request leads to
		somewhere below the ``cgi_directories`` path.

		The :class:`CGIHTTPRequestHandler` defines the following data member:

		.. attribute:: cgi_directories

		This defaults to ``['/cgi-bin', '/htbin']`` and describes directories to
		treat as containing CGI scripts.

		The :class:`CGIHTTPRequestHandler` defines the following method:

		.. method:: do_POST()

		This method serves the ``'POST'`` request type, only allowed for CGI
		scripts. Error 501, "Can only POST to CGI scripts", is output when trying
		to POST to a non-CGI url.

		Note that CGI scripts will be run with UID of user nobody, for security
		reasons. Problems with the CGI script will be translated to error 403.

		.. deprecated-removed:: 3.13 3.15

		:class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not
		been considered a good way to do things for well over a decade. This code
		has been unmaintained for a while now and sees very little practical use.
		Retaining it could lead to further :ref:`security considerations
		<http.server-security>`.


		.. _http-server-cli:

		Command-line interface
Expand DownExpand Up		@@ -564,24 +515,6 @@ The following options are accepted:

		.. versionadded:: 3.11

		.. option:: --cgi

		:class:`CGIHTTPRequestHandler` can be enabled in the command line by passing
		the ``--cgi`` option::

		python -m http.server --cgi

		.. deprecated-removed:: 3.13 3.15

		:mod:`http.server` command line ``--cgi`` support is being removed
		because :class:`CGIHTTPRequestHandler` is being removed.

		.. warning::

		:class:`CGIHTTPRequestHandler` and the ``--cgi`` command-line option
		are not intended for use by untrusted clients and may be vulnerable
		to exploitation. Always use within a secure environment.

		.. option:: --tls-cert

		Specifies a TLS certificate chain for HTTPS connections::
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -1871,7 +1871,7 @@ New Deprecations

		* :mod:`http.server`:

		* Deprecate :class:`~http.server.CGIHTTPRequestHandler`,
		* Deprecate :class:`!http.server.CGIHTTPRequestHandler`,
picnixz marked this conversation as resolved. Show resolvedHide resolved
		to be removed in Python 3.15.
		Process-based CGI HTTP servers have been out of favor for a very long time.
		This code was outdated, unmaintained, and rarely used.
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -121,6 +121,15 @@ Deprecated
		Removed
		=======

		http.server
		-----------

		* Removed the :class:`!http.server.CGIHTTPRequestHandler` class
picnixz marked this conversation as resolved. Show resolvedHide resolved
		and the ``--cgi`` flag to the :program:`python -m http.server`
picnixz marked this conversation as resolved. Show resolvedHide resolved
		command-line interface. Those are deprecated since Python 3.13.
picnixz marked this conversation as resolved. Show resolvedHide resolved
		(Contributed by Bénédikt Tran in :gh:`133810`.)


		sysconfig
		---------

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -175,7 +175,6 @@
		'SimpleDialog': 'tkinter.simpledialog',
		'DocXMLRPCServer': 'xmlrpc.server',
		'SimpleHTTPServer': 'http.server',
		'CGIHTTPServer': 'http.server',
		# For compatibility with broken pickles saved in old Python 3 versions
		'UserDict': 'collections',
		'UserList': 'collections',
Expand DownExpand Up		@@ -217,8 +216,6 @@
		('DocXMLRPCServer', 'DocCGIXMLRPCRequestHandler'),
		('http.server', 'SimpleHTTPRequestHandler'):
		('SimpleHTTPServer', 'SimpleHTTPRequestHandler'),
		('http.server', 'CGIHTTPRequestHandler'):
		('CGIHTTPServer', 'CGIHTTPRequestHandler'),
		('_socket', 'socket'): ('socket', '_socketobject'),
		})

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -181,11 +181,10 @@ def _strip_ipv6_iface(enc_name: bytes) -> bytes:
		return enc_name

		class HTTPMessage(email.message.Message):
		# XXX The only usage of this method is in
		# http.server.CGIHTTPRequestHandler. Maybe move the code there so
		# that it doesn't need to be part of the public API. The API has
		# never been defined so this could cause backwards compatibility
		# issues.

		# The getallmatchingheaders() method was only used by the CGI handler
		# that was removed in Python 3.15. However, since the public API was not
		# properly defined, it will be kept for backwards compatibility reasons.
Comment on lines +185 to +187 Copy link Member hugovkMay 16, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Hmm, perhaps a candidate for deprecation in 3.15? Separate issue to check for usage and so on. If so, perhaps can be removed in 3.17 rather than the 3.20. Copy link MemberAuthor picnixzMay 16, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. We have a separate issue for this method so we can discuss its removal as well. I'll need to find it though. hugovk reacted with thumbs up emoji

		def getallmatchingheaders(self, name):
		"""Find all header lines matching a given header name.
Expand Down