From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Mon, 15 Jun 2020 15:33:32 +0000 (-0700) Subject: [3.7] bpo-34226: fix cgi.parse_multipart without content_length (GH-8530) (GH-20892) X-Git-Tag: v3.7.8rc1~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa83935a56d1fd4d72d4de5f0278a240a2d6844d;p=thirdparty%2FPython%2Fcpython.git [3.7] bpo-34226: fix cgi.parse_multipart without content_length (GH-8530) (GH-20892) In Python 3.7 the behavior of parse_multipart changed requiring CONTENT-LENGTH header, this fix remove this header as required and fix FieldStorage read_lines_to_outerboundary, by not using limit when it's negative, since by default it's -1 if not content-length and keeps substracting what was read from the file object. Also added a test case for this problem. (cherry picked from commit d8cf3514dd4682419a66f6e834bb384ee34afc95) Co-authored-by: roger Automerge-Triggered-By: @ned-deily --- diff --git a/Lib/cgi.py b/Lib/cgi.py index df84f1fe69cf..5a001667efca 100755 --- a/Lib/cgi.py +++ b/Lib/cgi.py @@ -217,7 +217,10 @@ def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"): ctype = "multipart/form-data; boundary={}".format(boundary) headers = Message() headers.set_type(ctype) - headers['Content-Length'] = pdict['CONTENT-LENGTH'] + try: + headers['Content-Length'] = pdict['CONTENT-LENGTH'] + except KeyError: + pass fs = FieldStorage(fp, headers=headers, encoding=encoding, errors=errors, environ={'REQUEST_METHOD': 'POST'}) return {k: fs.getlist(k) for k in fs} @@ -753,7 +756,8 @@ class FieldStorage: last_line_lfend = True _read = 0 while 1: - if self.limit is not None and _read >= self.limit: + + if self.limit is not None and 0 <= self.limit <= _read: break line = self.fp.readline(1<<16) # bytes self.bytes_read += len(line) diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py index b46be67f7732..220268e14f03 100644 --- a/Lib/test/test_cgi.py +++ b/Lib/test/test_cgi.py @@ -130,6 +130,20 @@ class CgiTests(unittest.TestCase): 'file': [b'Testing 123.\n'], 'title': ['']} self.assertEqual(result, expected) + def test_parse_multipart_without_content_length(self): + POSTDATA = '''--JfISa01 +Content-Disposition: form-data; name="submit-name" + +just a string + +--JfISa01-- +''' + fp = BytesIO(POSTDATA.encode('latin1')) + env = {'boundary': 'JfISa01'.encode('latin1')} + result = cgi.parse_multipart(fp, env) + expected = {'submit-name': ['just a string\n']} + self.assertEqual(result, expected) + def test_parse_multipart_invalid_encoding(self): BOUNDARY = "JfISa01" POSTDATA = """--JfISa01 diff --git a/Misc/NEWS.d/next/Library/2018-07-29-12-14-54.bpo-34226.BE7zbu.rst b/Misc/NEWS.d/next/Library/2018-07-29-12-14-54.bpo-34226.BE7zbu.rst new file mode 100644 index 000000000000..2656b4bf22ae --- /dev/null +++ b/Misc/NEWS.d/next/Library/2018-07-29-12-14-54.bpo-34226.BE7zbu.rst @@ -0,0 +1 @@ +Fix `cgi.parse_multipart` without content_length. Patch by Roger Duran