[Python-checkins] CVS: python/dist/src/Lib cgi.py,1.64,1.65
Guido van Rossum
gvanrossum@users.sourceforge.net
Wed, 25 Jul 2001 14:00:21 -0700
- Previous message: [Python-checkins] CVS: python/dist/src/Mac/Lib findertools.py,1.6,1.6.4.1
- Next message: [Python-checkins] CVS: python/dist/src/Lib ftplib.py,1.54,1.55 httplib.py,1.36,1.37 poplib.py,1.15,1.16 smtplib.py,1.37,1.38 telnetlib.py,1.12,1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvsroot/python/python/dist/src/Lib
In directory usw-pr-cvs1:/tmp/cvs-serv20163
Modified Files:
cgi.py
Log Message:
Fix a denial-of-service attack, SF bug #443120.
Code by Evan Simpson.
Index: cgi.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/cgi.py,v
retrieving revision 1.64
retrieving revision 1.65
diff -C2 -d -r1.64 -r1.65
*** cgi.py 2001/06/29 13:06:06 1.64
--- cgi.py 2001/07/25 21:00:19 1.65
***************
*** 244,251 ****
"""
if pdict.has_key('boundary'):
boundary = pdict['boundary']
! else:
! boundary = ""
nextpart = "--" + boundary
lastpart = "--" + boundary + "--"
--- 244,254 ----
"""
+ boundary = ""
if pdict.has_key('boundary'):
boundary = pdict['boundary']
! if not valid_boundary(boundary):
! raise ValueError, ('Invalid boundary in multipart form: %s'
! % `ib`)
!
nextpart = "--" + boundary
lastpart = "--" + boundary + "--"
***************
*** 596,607 ****
def read_multi(self, environ, keep_blank_values, strict_parsing):
"""Internal: read a part that is itself multipart."""
self.list = []
klass = self.FieldStorageClass or self.__class__
! part = klass(self.fp, {}, self.innerboundary,
environ, keep_blank_values, strict_parsing)
# Throw first part away
while not part.done:
headers = rfc822.Message(self.fp)
! part = klass(self.fp, headers, self.innerboundary,
environ, keep_blank_values, strict_parsing)
self.list.append(part)
--- 599,614 ----
def read_multi(self, environ, keep_blank_values, strict_parsing):
"""Internal: read a part that is itself multipart."""
+ ib = self.innerboundary
+ if not valid_boundary(ib):
+ raise ValueError, ('Invalid boundary in multipart form: %s'
+ % `ib`)
self.list = []
klass = self.FieldStorageClass or self.__class__
! part = klass(self.fp, {}, ib,
environ, keep_blank_values, strict_parsing)
# Throw first part away
while not part.done:
headers = rfc822.Message(self.fp)
! part = klass(self.fp, headers, ib,
environ, keep_blank_values, strict_parsing)
self.list.append(part)
***************
*** 1000,1003 ****
--- 1007,1013 ----
return s
+ def valid_boundary(s, _vb_pattern="^[ -~]{0,200}[!-~]$"):
+ import re
+ return re.match(_vb_pattern, s)
# Invoke mainline
- Previous message: [Python-checkins] CVS: python/dist/src/Mac/Lib findertools.py,1.6,1.6.4.1
- Next message: [Python-checkins] CVS: python/dist/src/Lib ftplib.py,1.54,1.55 httplib.py,1.36,1.37 poplib.py,1.15,1.16 smtplib.py,1.37,1.38 telnetlib.py,1.12,1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]