Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage

e99c6bc0 · Donald Stufft · f331c5af · e99c6bc0 · e99c6bc0 · e99c6bc0
Commit e99c6bc0 authored 9 years ago by Donald Stufft
Show whitespace changes
Inline Side-by-side

Showing with 29 additions and 2 deletions

Lib/cgi.py Lib/cgi.py +7 -2

Lib/test/test_cgi.py Lib/test/test_cgi.py +19 -0

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/cgi.py
+++ b/Lib/cgi.py
@@ -693,8 +693,13 @@ class FieldStorage:
            raise ValueError("%s should return bytes, got %s" \
                             % (self.fp, type(first_line).__name__))
        self.bytes_read += len(first_line)
-        # first line holds boundary ; ignore it, or check that
-        # b"--" + ib == first_line.strip() ?
+
+        # Ensure that we consume the file until we've hit our inner boundary
+        while (first_line.strip() != (b"--" + self.innerboundary) and
+                first_line):
+            first_line = self.fp.readline()
+            self.bytes_read += len(first_line)
+
        while True:
            parser = FeedParser()
            hdr_text = b""

--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -248,6 +248,25 @@ class CgiTests(unittest.TestCase):
                got = getattr(fs.list[x], k)
                self.assertEqual(got, exp)

+    def test_fieldstorage_multipart_leading_whitespace(self):
+        env = {
+            'REQUEST_METHOD': 'POST',
+            'CONTENT_TYPE': 'multipart/form-data; boundary={}'.format(BOUNDARY),
+            'CONTENT_LENGTH': '560'}
+        # Add some leading whitespace to our post data that will cause the
+        # first line to not be the innerboundary.
+        fp = BytesIO(b"\r\n" + POSTDATA.encode('latin-1'))
+        fs = cgi.FieldStorage(fp, environ=env, encoding="latin-1")
+        self.assertEqual(len(fs.list), 4)
+        expect = [{'name':'id', 'filename':None, 'value':'1234'},
+                  {'name':'title', 'filename':None, 'value':''},
+                  {'name':'file', 'filename':'test.txt', 'value':b'Testing 123.\n'},
+                  {'name':'submit', 'filename':None, 'value':' Add '}]
+        for x in range(len(fs.list)):
+            for k, exp in expect[x].items():
+                got = getattr(fs.list[x], k)
+                self.assertEqual(got, exp)
+
    def test_fieldstorage_multipart_non_ascii(self):
        #Test basic FieldStorage multipart parsing
        env = {'REQUEST_METHOD':'POST',

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -124,6 +124,9 @@ Library

 - Issue #23361: Fix possible overflow in Windows subprocess creation code.

+- Issue #23801: Fix issue where cgi.FieldStorage did not always ignore the
+  entire preamble to a multipart body.
+
 Tests
 -----