Commit d90f8d10 authored by Donald Stufft's avatar Donald Stufft

Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage

parent 1058cda3
...@@ -693,8 +693,13 @@ class FieldStorage: ...@@ -693,8 +693,13 @@ class FieldStorage:
raise ValueError("%s should return bytes, got %s" \ raise ValueError("%s should return bytes, got %s" \
% (self.fp, type(first_line).__name__)) % (self.fp, type(first_line).__name__))
self.bytes_read += len(first_line) self.bytes_read += len(first_line)
# first line holds boundary ; ignore it, or check that
# b"--" + ib == first_line.strip() ? # Ensure that we consume the file until we've hit our inner boundary
while (first_line.strip() != (b"--" + self.innerboundary) and
first_line):
first_line = self.fp.readline()
self.bytes_read += len(first_line)
while True: while True:
parser = FeedParser() parser = FeedParser()
hdr_text = b"" hdr_text = b""
......
...@@ -248,6 +248,25 @@ class CgiTests(unittest.TestCase): ...@@ -248,6 +248,25 @@ class CgiTests(unittest.TestCase):
got = getattr(fs.list[x], k) got = getattr(fs.list[x], k)
self.assertEqual(got, exp) self.assertEqual(got, exp)
def test_fieldstorage_multipart_leading_whitespace(self):
env = {
'REQUEST_METHOD': 'POST',
'CONTENT_TYPE': 'multipart/form-data; boundary={}'.format(BOUNDARY),
'CONTENT_LENGTH': '560'}
# Add some leading whitespace to our post data that will cause the
# first line to not be the innerboundary.
fp = BytesIO(b"\r\n" + POSTDATA.encode('latin-1'))
fs = cgi.FieldStorage(fp, environ=env, encoding="latin-1")
self.assertEqual(len(fs.list), 4)
expect = [{'name':'id', 'filename':None, 'value':'1234'},
{'name':'title', 'filename':None, 'value':''},
{'name':'file', 'filename':'test.txt', 'value':b'Testing 123.\n'},
{'name':'submit', 'filename':None, 'value':' Add '}]
for x in range(len(fs.list)):
for k, exp in expect[x].items():
got = getattr(fs.list[x], k)
self.assertEqual(got, exp)
def test_fieldstorage_multipart_non_ascii(self): def test_fieldstorage_multipart_non_ascii(self):
#Test basic FieldStorage multipart parsing #Test basic FieldStorage multipart parsing
env = {'REQUEST_METHOD':'POST', env = {'REQUEST_METHOD':'POST',
......
...@@ -124,6 +124,9 @@ Library ...@@ -124,6 +124,9 @@ Library
- Issue #23361: Fix possible overflow in Windows subprocess creation code. - Issue #23361: Fix possible overflow in Windows subprocess creation code.
- Issue #23801: Fix issue where cgi.FieldStorage did not always ignore the
entire preamble to a multipart body.
Tests Tests
----- -----
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment