[Python-Dev] cgi.FieldStorage DOS (sf bug #1112549)
Chris McDonough
chrism at plope.com
Sat Jul 29 02:02:10 CEST 2006
From the initial bugreport
(http://sourceforge.net/tracker/index.php?
func=detail&aid=1112549&group_id=5470&atid=105470)
"""
Various parts of cgi.FieldStorage call its
"read_lines_to_outerboundary", "read_lines" and
"skip_lines" methods. These methods use the
"readline" method of the file object that represents an
input stream. The input stream is typically data
supplied by an untrusted source (such as a user
uploading a file from a web browser). The input data
is not required by the RFC 822/1521/1522/1867
specifications to contain any newline characters. For
example, it is within the bounds of the specification
to supply a a multipart/form-data input stream with a
"file-data" part that consists of a 2GB string composed
entirely of "x" characters (which happens to be
something I did that led me to noticing this bug).
"""
This bug has been around for about a year but I just worked up a
patch yesterday that applies OK against current SVN. It's attached
to the issue. Would someone be so kind as to check it in? Guido has
already reviewed it, I believe.
- C
More information about the Python-Dev
mailing list