[New-bugs-announce] [issue18167] cgi.FieldStorage fails to handle multipart/form-data when \r\n appears at end of 65535 bytes without other newlines
Chris AtLee
report at bugs.python.org
Sat Jun 8 02:46:59 CEST 2013
New submission from Chris AtLee:
cgi.FieldStorage uses fp.readline(1 << 16) to read in POSTed file data if no content length has been specified. All HTTP clients I've looked at terminate the file body with CRLF and then the final MIME boundary. If the file body is 65,535 bytes, and doesn't contain \n or \r\n, then fp.readline(1 << 16) will return the original 65,535 bytes of the file plus the \r from the final \r\n sequence before the final boundary string. Since \r isn't considered a line ending, it gets considered as part of the POSTed file data, and you end up with an extra \r at the end of the file data.
----------
components: Library (Lib)
files: cgi-test-cpython.patch
keywords: patch
messages: 190784
nosy: catlee
priority: normal
severity: normal
status: open
title: cgi.FieldStorage fails to handle multipart/form-data when \r\n appears at end of 65535 bytes without other newlines
type: behavior
versions: Python 2.7
Added file: http://bugs.python.org/file30502/cgi-test-cpython.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18167>
_______________________________________
More information about the New-bugs-announce
mailing list