[Python-checkins] CVS: python/dist/src/Lib cgi.py,1.63,1.63.2.1
Anthony Baxter
anthonybaxter@users.sourceforge.net
Tue, 04 Dec 2001 21:10:30 -0800
Update of /cvsroot/python/python/dist/src/Lib
In directory usw-pr-cvs1:/tmp/cvs-serv12253
Modified Files:
Tag: release21-maint
cgi.py
Log Message:
backport of 1.64, 1.65, 1.68:
1.64: Solve SF bug #231249: cgi.py opens too many (temporary) files.
1.65: Fix a denial-of-service attack, SF bug #443120.
1.68: "ib" should be "boundary"; reported by Neal Norwitz.
the first two of these are pretty severe bugs.
Index: cgi.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/cgi.py,v
retrieving revision 1.63
retrieving revision 1.63.2.1
diff -C2 -d -r1.63 -r1.63.2.1
*** cgi.py 2001/03/19 13:40:44 1.63
--- cgi.py 2001/12/05 05:10:28 1.63.2.1
***************
*** 29,33 ****
#
! __version__ = "2.5"
--- 29,33 ----
#
! __version__ = "2.6"
***************
*** 244,251 ****
"""
if pdict.has_key('boundary'):
boundary = pdict['boundary']
! else:
! boundary = ""
nextpart = "--" + boundary
lastpart = "--" + boundary + "--"
--- 244,254 ----
"""
+ boundary = ""
if pdict.has_key('boundary'):
boundary = pdict['boundary']
! if not valid_boundary(boundary):
! raise ValueError, ('Invalid boundary in multipart form: %s'
! % `boundary`)
!
nextpart = "--" + boundary
lastpart = "--" + boundary + "--"
***************
*** 596,607 ****
def read_multi(self, environ, keep_blank_values, strict_parsing):
"""Internal: read a part that is itself multipart."""
self.list = []
klass = self.FieldStorageClass or self.__class__
! part = klass(self.fp, {}, self.innerboundary,
environ, keep_blank_values, strict_parsing)
# Throw first part away
while not part.done:
headers = rfc822.Message(self.fp)
! part = klass(self.fp, headers, self.innerboundary,
environ, keep_blank_values, strict_parsing)
self.list.append(part)
--- 599,614 ----
def read_multi(self, environ, keep_blank_values, strict_parsing):
"""Internal: read a part that is itself multipart."""
+ ib = self.innerboundary
+ if not valid_boundary(ib):
+ raise ValueError, ('Invalid boundary in multipart form: %s'
+ % `ib`)
self.list = []
klass = self.FieldStorageClass or self.__class__
! part = klass(self.fp, {}, ib,
environ, keep_blank_values, strict_parsing)
# Throw first part away
while not part.done:
headers = rfc822.Message(self.fp)
! part = klass(self.fp, headers, ib,
environ, keep_blank_values, strict_parsing)
self.list.append(part)
***************
*** 634,638 ****
def read_lines(self):
"""Internal: read lines until EOF or outerboundary."""
! self.file = self.make_file('')
if self.outerboundary:
self.read_lines_to_outerboundary()
--- 641,645 ----
def read_lines(self):
"""Internal: read lines until EOF or outerboundary."""
! self.file = self.__file = StringIO()
if self.outerboundary:
self.read_lines_to_outerboundary()
***************
*** 640,643 ****
--- 647,658 ----
self.read_lines_to_eof()
+ def __write(self, line):
+ if self.__file is not None:
+ if self.__file.tell() + len(line) > 1000:
+ self.file = self.make_file('')
+ self.file.write(self.__file.getvalue())
+ self.__file = None
+ self.file.write(line)
+
def read_lines_to_eof(self):
"""Internal: read lines until EOF."""
***************
*** 647,651 ****
self.done = -1
break
! self.file.write(line)
def read_lines_to_outerboundary(self):
--- 662,666 ----
self.done = -1
break
! self.__write(line)
def read_lines_to_outerboundary(self):
***************
*** 675,679 ****
else:
delim = ""
! self.file.write(odelim + line)
def skip_lines(self):
--- 690,694 ----
else:
delim = ""
! self.__write(odelim + line)
def skip_lines(self):
***************
*** 992,995 ****
--- 1007,1013 ----
return s
+ def valid_boundary(s, _vb_pattern="^[ -~]{0,200}[!-~]$"):
+ import re
+ return re.match(_vb_pattern, s)
# Invoke mainline