[Python-checkins] cpython (3.3): Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data

serhiy.storchaka python-checkins at python.org
Mon Jun 17 15:38:28 CEST 2013 

http://hg.python.org/cpython/rev/a48f65bac986
changeset:   84182:a48f65bac986
branch:      3.3
parent:      84178:4b2188b13dd2
user:        Serhiy Storchaka <storchaka at gmail.com>
date:        Mon Jun 17 16:34:41 2013 +0300
summary:
  Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
when \r\n appears at end of 65535 bytes without other newlines.

files:
  Lib/cgi.py           |   9 +++++++++
  Lib/test/test_cgi.py |  23 +++++++++++++++++++++++
  Misc/NEWS            |   3 +++
  3 files changed, 35 insertions(+), 0 deletions(-)


diff --git a/Lib/cgi.py b/Lib/cgi.py
--- a/Lib/cgi.py
+++ b/Lib/cgi.py
@@ -786,6 +786,9 @@
             if not line:
                 self.done = -1
                 break
+            if delim == b"\r":
+                line = delim + line
+                delim = b""
             if line.startswith(b"--") and last_line_lfend:
                 strippedline = line.rstrip()
                 if strippedline == next_boundary:
@@ -802,6 +805,12 @@
                 delim = b"\n"
                 line = line[:-1]
                 last_line_lfend = True
+            elif line.endswith(b"\r"):
+                # We may interrupt \r\n sequences if they span the 2**16
+                # byte boundary
+                delim = b"\r"
+                line = line[:-1]
+                last_line_lfend = False
             else:
                 delim = b""
                 last_line_lfend = False
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -256,6 +256,29 @@
                     got = getattr(fs.list[x], k)
                     self.assertEqual(got, exp)
 
+    def test_fieldstorage_multipart_maxline(self):
+        # Issue #18167
+        maxline = 1 << 16
+        self.maxDiff = None
+        def check(content):
+            data = """---123
+Content-Disposition: form-data; name="upload"; filename="fake.txt"
+Content-Type: text/plain
+
+%s
+---123--
+""".replace('\n', '\r\n') % content
+            environ = {
+                'CONTENT_LENGTH':   str(len(data)),
+                'CONTENT_TYPE':     'multipart/form-data; boundary=-123',
+                'REQUEST_METHOD':   'POST',
+            }
+            self.assertEqual(gen_result(data, environ),
+                             {'upload': content.encode('latin1')})
+        check('x' * (maxline - 1))
+        check('x' * (maxline - 1) + '\r')
+        check('x' * (maxline - 1) + '\r' + 'y' * (maxline - 1))
+
     _qs_result = {
         'key1': 'value1',
         'key2': ['value2x', 'value2y'],
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -32,6 +32,9 @@
 Library
 -------
 
+- Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
+  when \r\n appears at end of 65535 bytes without other newlines.
+
 - subprocess: Prevent a possible double close of parent pipe fds when the
   subprocess exec runs into an error.  Prevent a regular multi-close of the
   /dev/null fd when any of stdin, stdout and stderr was set to DEVNULL.

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list