[Web-SIG] Prototype of wsgi.input.readline().
Graham Dumpleton
graham.dumpleton at gmail.com
Thu Jan 31 04:30:22 CET 2008
On 31/01/2008, Chris McDonough <chrism at plope.com> wrote:
> Graham Dumpleton wrote:
> >
> >>>
> >>> If the size argument is made mandatory, then it would parallel how
> >>> read() function is defined, but this in itself would mean
> >>> cgi.FieldStorage would break.
> >>>
> >>> This is because cgi.FieldStorage actually calls readline() with no
> >>> argument as well as an argument in different places in the code.
> >> cgi.FieldStorage doesn't call readline() without an argument.
> >> cgi.parse_multipart does, but this function is not used by cgi.FieldStorage. I
> >> don't know if this changes anything.
> >
> > Not really, I should have said 'cgi' module as a whole rather than
> > specifically cgi.FieldStorage. Given that people might be using
> > cgi.parse_multipart in standard CGI, there would probably still be an
> > expectation that it worked for WSGI. We can't really say that you can
> > use cgi.FieldStorage but not cgi.parse_multipart. People will just
> > expect all the normal tools people would use for this to work.
>
> Personally, I think parse_multipart should go away. It's not suitable for
> anything but toy usage.
Not necessarily. Someone may see it as a trade off. The code itself says:
"""This is easy to use but not
much good if you are expecting megabytes to be uploaded -- in that case,
use the FieldStorage class instead which is much more flexible."""
So comment implies it is easier to use and so some may think it is
simpler for what they are doing if they are only dealing with small
requests.
Of course, it would probably be prudent if you know your requests are
always going to be small to use LimitRequestBody in Apache, or a
specific check on content length if handled in Python code, to block
someone sending over sized requests intentionally to try and break
things. Provided you did this, may be quite reasonable to use it in
specific circumstances.
> If people use it, and they expose their site to the world, arbitrary anonymous
> visitors can cause their Python's process size to grow to arbitrarily. I don't
> think any existing well-known framework uses it, for this very reason.
>
> If it can't go away, and there's a problem due to the non-parity between
> parse_multipart's use and FieldStorage's use, I suspect the right answer is to
> change cgi.parse_multipart to pass in a size value for readline too. I probably
> should have done that when I made the patch. :-(
Graham
More information about the Web-SIG
mailing list