From: Trim21 <trim21.me@gmail.com>
Date: Wed, 25 Sep 2024 11:27:55 +0000 (+0800)
Subject: generate boundary with token_hex (#2702)
X-Git-Tag: 0.39.1~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=075efd0c5c9f5e49a4416f3b4a24e24efab135f8;p=thirdparty%2Fstarlette.git

generate boundary with token_hex (#2702)

* generate boundary with token_hex

* generate boundary with token_hex

* fix

* boundary size

* Update starlette/responses.py

---------

Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
---

diff --git a/starlette/responses.py b/starlette/responses.py
index b951e512..790aa7eb 100644
--- a/starlette/responses.py
+++ b/starlette/responses.py
@@ -11,7 +11,7 @@ from datetime import datetime
 from email.utils import format_datetime, formatdate
 from functools import partial
 from mimetypes import guess_type
-from random import choices as random_choices
+from secrets import token_hex
 from urllib.parse import quote
 
 import anyio
@@ -401,7 +401,8 @@ class FileResponse(Response):
         file_size: int,
         send_header_only: bool,
     ) -> None:
-        boundary = "".join(random_choices("abcdefghijklmnopqrstuvwxyz0123456789", k=13))
+        # In firefox and chrome, they use boundary with 95-96 bits entropy (that's roughly 13 bytes).
+        boundary = token_hex(13)
         content_length, header_generator = self.generate_multipart(
             ranges, boundary, file_size, self.headers["content-type"]
         )
diff --git a/tests/test_responses.py b/tests/test_responses.py
index 645d26a6..1fb8c6be 100644
--- a/tests/test_responses.py
+++ b/tests/test_responses.py
@@ -598,13 +598,13 @@ def test_file_response_range_multi(file_response_client: TestClient) -> None:
     response = file_response_client.get("/", headers={"Range": "bytes=0-100, 200-300"})
     assert response.status_code == 206
     assert response.headers["content-range"].startswith("multipart/byteranges; boundary=")
-    assert response.headers["content-length"] == "400"
+    assert response.headers["content-length"] == "439"
 
 
 def test_file_response_range_multi_head(file_response_client: TestClient) -> None:
     response = file_response_client.head("/", headers={"Range": "bytes=0-100, 200-300"})
     assert response.status_code == 206
-    assert response.headers["content-length"] == "400"
+    assert response.headers["content-length"] == "439"
     assert response.content == b""
 
     response = file_response_client.head(