[Python-Dev] cgi.FieldStorage DOS (sf bug #1112549)

Tim Peters tim.peters at gmail.com
Mon Aug 7 06:00:37 CEST 2006

[Chris McDonough, on 7/28/06]
>  From the initial bugreport
> (http://sourceforge.net/tracker/index.php?
> func=detail&aid=1112549&group_id=5470&atid=105470)
> """
> Various parts of cgi.FieldStorage call its
> "read_lines_to_outerboundary", "read_lines" and
> "skip_lines" methods. These methods use the
> "readline" method of the file object that represents an
> input stream. The input stream is typically data
> supplied by an untrusted source (such as a user
> uploading a file from a web browser). The input data
> is not required by the RFC 822/1521/1522/1867
> specifications to contain any newline characters. For
> example, it is within the bounds of the specification
> to supply a a multipart/form-data input stream with a
> "file-data" part that consists of a 2GB string composed
> entirely of "x" characters (which happens to be
> something I did that led me to noticing this bug).
> """
> This bug has been around for about a year but I just worked up a
> patch yesterday that applies OK against current SVN.  It's attached
> to the issue.  Would someone be so kind as to check it in?  Guido has
> already reviewed it, I believe.

Are either of our 2.5 release managers/coordinators on the internal
Python security mailing list?  I am, but only the list admin can see
who's on that list.

Since this bug is thought to be a security hole (the "DOS" in the
subject line doesn't refer to your favorite operating system -- it's
the Denial-Of-Service flavor of DOS), it's important that someone with
sufficient power stare at this one and Pronounce on its fate for
2.5c1.  Here's a clicky thing:


More information about the Python-Dev mailing list