[Python-checkins] cpython (3.4): Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage

donald.stufft python-checkins at python.org
Sun Mar 29 22:43:29 CEST 2015 

https://hg.python.org/cpython/rev/3af77d1c5c47
changeset:   95249:3af77d1c5c47
branch:      3.4
parent:      95247:77c04e949b4b
user:        Donald Stufft <donald at stufft.io>
date:        Sun Mar 29 16:43:23 2015 -0400
summary:
  Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage

files:
  Lib/cgi.py           |   9 +++++++--
  Lib/test/test_cgi.py |  19 +++++++++++++++++++
  Misc/NEWS            |   3 +++
  3 files changed, 29 insertions(+), 2 deletions(-)


diff --git a/Lib/cgi.py b/Lib/cgi.py
--- a/Lib/cgi.py
+++ b/Lib/cgi.py
@@ -693,8 +693,13 @@
             raise ValueError("%s should return bytes, got %s" \
                              % (self.fp, type(first_line).__name__))
         self.bytes_read += len(first_line)
-        # first line holds boundary ; ignore it, or check that
-        # b"--" + ib == first_line.strip() ?
+
+        # Ensure that we consume the file until we've hit our inner boundary
+        while (first_line.strip() != (b"--" + self.innerboundary) and
+                first_line):
+            first_line = self.fp.readline()
+            self.bytes_read += len(first_line)
+
         while True:
             parser = FeedParser()
             hdr_text = b""
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -248,6 +248,25 @@
                 got = getattr(fs.list[x], k)
                 self.assertEqual(got, exp)
 
+    def test_fieldstorage_multipart_leading_whitespace(self):
+        env = {
+            'REQUEST_METHOD': 'POST',
+            'CONTENT_TYPE': 'multipart/form-data; boundary={}'.format(BOUNDARY),
+            'CONTENT_LENGTH': '560'}
+        # Add some leading whitespace to our post data that will cause the
+        # first line to not be the innerboundary.
+        fp = BytesIO(b"\r\n" + POSTDATA.encode('latin-1'))
+        fs = cgi.FieldStorage(fp, environ=env, encoding="latin-1")
+        self.assertEqual(len(fs.list), 4)
+        expect = [{'name':'id', 'filename':None, 'value':'1234'},
+                  {'name':'title', 'filename':None, 'value':''},
+                  {'name':'file', 'filename':'test.txt', 'value':b'Testing 123.\n'},
+                  {'name':'submit', 'filename':None, 'value':' Add '}]
+        for x in range(len(fs.list)):
+            for k, exp in expect[x].items():
+                got = getattr(fs.list[x], k)
+                self.assertEqual(got, exp)
+
     def test_fieldstorage_multipart_non_ascii(self):
         #Test basic FieldStorage multipart parsing
         env = {'REQUEST_METHOD':'POST',
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -124,6 +124,9 @@
 
 - Issue #23361: Fix possible overflow in Windows subprocess creation code.
 
+- Issue #23801: Fix issue where cgi.FieldStorage did not always ignore the
+  entire preamble to a multipart body.
+
 Tests
 -----
 

-- 
Repository URL: https://hg.python.org/cpython

More information about the Python-checkins mailing list