[issue11269] cgi.FieldStorage forgets to unquote field names when parsing multipart/form-data
Sergey Schetinin
report at bugs.python.org
Fri Feb 25 19:47:00 CET 2011
Sergey Schetinin <sergey at maluke.com> added the comment:
It does work (Python 2.7.1 here):
>>> import cgi
>>> cgi.parse_header('Content-Disposition: form-data; name=""%22"')
('Content-Disposition: form-data', {'name': '"%22'})
>>> cgi.parse_header('Content-Disposition: form-data; name="\\"%22"')
('Content-Disposition: form-data', {'name': '"%22'})
However as the unescaping is done sequential .replace, one can construct a header to make it unescape incorrectly:
>>> cgi.parse_header('Content-Disposition: form-data; name="\\\\"%22"')
('Content-Disposition: form-data', {'name': '"%22'})
Which should be:
('Content-Disposition: form-data', {'name': '\\"%22'})
That probably doesn't matter anyway.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11269>
_______________________________________
More information about the Python-bugs-list
mailing list