[New-bugs-announce] [issue20504] cgi.FieldStorage, multipart, missing Content-Length

Sebastian Rittau report at bugs.python.org
Mon Feb 3 22:33:19 CET 2014

New submission from Sebastian Rittau:

Consider the attached test case. This test will run fine with Python 2.7, but will fail with Python 3.3. If cgi.FieldStorage() tries to parse a multipart request without a Content-Length header in the main section, segments will have a length of 0.

During the parse process, two instances of FieldStorage are involved. The outer one reads the whole request and creates and delegates reading of the fragment to inner instances.

The main problem is that FieldStorage.read_lines_to_outerboundary() of the inner FieldStorage will read nothing, since self.limit is lower than zero.

    def read_lines_to_outerboundary(self):
        while 1:
            if _read >= self.limit:

This happens, since limit is passed when creating the inner instance in FieldStorage.read_multi():

    def read_multi(self, environ, keep_blank_values, strict_parsing):
            part = klass(self.fp, headers, ib, environ, keep_blank_values,
                         self.encoding, self.errors)

Now, if the total request did not have a Content-Length header, self.limit will be -1.

The naive fix works for the test case, at least, but I don't know if there are other repercussions:

--- /usr/lib/python3.3/cgi.py	2014-02-03 22:31:16.649431125 +0100
+++ cgi.py	2014-02-03 22:32:14.849704379 +0100
@@ -788,7 +788,7 @@
         last_line_lfend = True
         _read = 0
         while 1:
-            if _read >= self.limit:
+            if self.limit >= 0 and _read >= self.limit:
             line = self.fp.readline(1<<16) # bytes
             self.bytes_read += len(line)

components: Library (Lib)
files: cgi-bug.py
messages: 210166
nosy: srittau
priority: normal
severity: normal
status: open
title: cgi.FieldStorage, multipart, missing Content-Length
versions: Python 3.3
Added file: http://bugs.python.org/file33891/cgi-bug.py

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list