Commit Graph

150 Commits

Author SHA1 Message Date
Adam Goldschmidt fcbe0cb04d
bpo-42967: only use '&' as a query string separator (#24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.


Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
2021-02-14 14:41:57 -08:00
Mike Lei c143cc379c
Correct referenced RFC number in cgi module (GH-22827)
The quoted sentence can be found from the last paragraph of RFC 2046, Section 5.1, while the content of RFC 2026 is unrelated to this module.
2020-12-16 17:34:19 -08:00
roger d8cf3514dd
bpo-34226: fix cgi.parse_multipart without content_length (GH-8530)
In Python 3.7 the behavior of parse_multipart changed requiring CONTENT-LENGTH
header, this fix remove this header as required and fix FieldStorage
read_lines_to_outerboundary, by not using limit when it's negative,
since by default it's -1 if not content-length and keeps substracting what
was read from the file object.

Also added a test case for this problem.
2020-06-15 07:58:54 -07:00
Pierre Quentel 2d7cacacc3 bpo-20504 : in cgi.py, fix bug when a multipart/form-data request has… (#10638)
* bpo-20504 : in cgi.py, fix bug when a multipart/form-data request has no content-length header

* Add Misc/NEWS.d/next file.

* Add rst formatting for NEWS.d/next file

* Reaplce assert by self.assertEqual
2019-09-11 12:05:53 +01:00
matthewbelisle-wf b79b5c0949 bpo-35028: cgi: Fix max_num_fields off by one error (GH-9973)
https://bugs.python.org/issue35028
2018-10-23 01:14:35 -07:00
matthewbelisle-wf 209144831b bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.
2018-10-19 03:52:59 -07:00
INADA Naoki 698865dcbb
bpo-33843: Remove deprecated stuff in cgi module (GH-7662) 2018-06-19 17:28:50 +09:00
Amber Brown 545c955be9 bpo-33497: Add errors param to cgi.parse_multipart and make an encoding in FieldStorage use the given errors (GH-6804) 2018-05-14 18:11:55 -04:00
Pierre Quentel cc3fa204d3 bpo-29979: Rewrite cgi.parse_multipart to make it consistent with FieldStorage (#991) 2017-05-08 05:08:34 -07:00
Serhiy Storchaka 2e576f5aec bpo-30144: Import collections ABC from collections.abc rather than collections. (#1263) 2017-04-24 09:05:00 +03:00
Martin Panter 1cd2772246 Issue #27105: Add cgi.test() to __all__, based on Jacek Kołodziej’s patch 2016-06-06 01:53:28 +00:00
Martin Panter 46f50726a0 Issue #27076: Doc, comment and tests spelling fixes
Most fixes to Doc/ and Lib/ directories by Ville Skyttä.
2016-05-26 05:35:26 +00:00
Victor Stinner 1e26dc7ef6 (Merge 3.4) cgi.FieldStorage.read_multi ignores Content-Length
Issue #24764: cgi.FieldStorage.read_multi() now ignores the Content-Length
header in part headers. Patch written by Peter Landry and reviewed by Pierre
Quentel.
2015-08-18 10:23:16 -07:00
Victor Stinner 6579459d4b cgi.FieldStorage.read_multi ignores Content-Length
Issue #24764: cgi.FieldStorage.read_multi() now ignores the Content-Length
header in part headers. Patch written by Peter Landry and reviewed by Pierre
Quentel.
2015-08-18 10:21:10 -07:00
Benjamin Peterson 0deefd5a94 merge 3.4 (#23801) 2015-03-29 16:45:19 -04:00
Donald Stufft d90f8d10e0 Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage 2015-03-29 16:43:23 -04:00
Berker Peksag bf5e9604cc Issue #20289: cgi.FieldStorage() now supports the context management protocol. 2015-02-06 10:21:37 +02:00
Benjamin Peterson 4d59a78786 remove unused argument (closes #21135) 2014-04-03 10:22:10 -04:00
Senthil Kumaran d87346c0ce merge from 3.3
Issue #19092 - Raise a correct exception when cgi.FieldStorage is given an
invalid file-obj. Also use __bool__ to determine the bool of the FieldStorage
object.
2014-01-11 22:22:21 -08:00
Senthil Kumaran b4cbb92fbe Issue #19092 - Raise a correct exception when cgi.FieldStorage is given an
invalid file-obj. Also use __bool__ to determine the bool of the FieldStorage
object.
2014-01-11 22:20:16 -08:00
Georg Brandl 12ec29f105 Closes #17335: remove no-op assignment. 2013-10-13 22:16:48 +02:00
Brett Cannon f79126f373 Issue #18394: Explicitly close the file object cgi.FieldStorage
caches.

Eliminates the ResoureWarning raised during testing.

Patch also independently written by Vajrasky Kok.
2013-08-23 15:15:48 -04:00
Florent Xicluna 74a146d3ac Merge #18013: Fix cgi.FieldStorage to parse the W3C sample form. 2013-07-07 12:46:28 +02:00
Florent Xicluna 331c3fd874 Issue #18013: Fix cgi.FieldStorage to parse the W3C sample form. 2013-07-07 12:44:28 +02:00
Serhiy Storchaka 774bed7e60 Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
when \r\n appears at end of 65535 bytes without other newlines.
2013-06-17 16:36:20 +03:00
Serhiy Storchaka c7bfe0e42e Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
when \r\n appears at end of 65535 bytes without other newlines.
2013-06-17 16:34:41 +03:00
Senthil Kumaran 42d8773df4 merge from 3.3
Issue #12411: Fix to cgi.parse_multipart to correctly use bytes boundaries and
bytes data. Patch by Jonas Wagner.
2013-01-23 03:01:23 -08:00
Senthil Kumaran c1a7c565aa merge from 3.2
Issue #12411: Fix to cgi.parse_multipart to correctly use bytes boundaries and
bytes data. Patch by Jonas Wagner.
2013-01-23 03:00:26 -08:00
Senthil Kumaran 6b102f251f Issue #12411: Fix to cgi.parse_multipart to correctly use bytes boundaries and
bytes data. Patch by Jonas Wagner.
2013-01-23 02:50:15 -08:00
Andrew Svetlov f7a17b48d7 Replace IOError with OSError (#16715) 2012-12-25 16:47:37 +02:00
Andrew Svetlov 8b33dd8e54 Use OESeeror instead of os.error (#16720)
Patch by Serhiy Storchaka.
2012-12-24 19:58:48 +02:00
Andrew Svetlov ad28c7f9da Issue #16706: get rid of os.error 2012-12-18 22:02:39 +02:00
Florent Xicluna 67317750af Issue #13248: turn 3.2's PendingDeprecationWarning into 3.3's DeprecationWarning (cgi, importlib, nntplib, smtpd). 2011-12-10 11:07:42 +01:00
Senthil Kumaran 294c231aa5 default - Fix closes Issue12529 - cgi.parse_header failure on double quotes and
semicolons. Patch by Ben Darnell and Petri Lehtinen.
2011-10-20 01:06:59 +08:00
Senthil Kumaran 1ef0c0349e 3.2 - Fix closes Issue12529 - cgi.parse_header failure on double quotes and
semicolons. Patch by Ben Darnell and Petri Lehtinen.
2011-10-20 01:05:44 +08:00
Victor Stinner d33344a030 Add cgi.closelog() function to close the log file 2011-07-14 22:28:36 +02:00
Victor Stinner f1c7ca93c1 cgi: use isinstance(x, list) instead of type(x) == type([]) 2011-01-14 13:08:27 +00:00
Victor Stinner 5c23b8e6ea Issue #4953: cgi.FieldStorage and cgi.parse() parse the request as bytes, not
as unicode, and accept binary files. Add encoding and errors attributes to
cgi.FieldStorage.
2011-01-14 13:05:21 +00:00
Georg Brandl 1f7fffb308 #2830: add html.escape() helper and move cgi.escape() uses in the standard library to it. It defaults to quote=True and also escapes single quotes, which makes casual use safer. The cgi.escape() interface is not touched, but emits a (silent) PendingDeprecationWarning. 2010-10-15 15:57:45 +00:00
Senthil Kumaran 30e86a4767 Fix Issue7007 - Use percent-encoded consistently instead of URL Encoded variations. Changes in Modules. 2010-08-09 20:01:35 +00:00
Benjamin Peterson 8c703a0ba6 Merged revisions 78844 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r78844 | benjamin.peterson | 2010-03-11 16:03:45 -0600 (Thu, 11 Mar 2010) | 1 line

  revert r78842 cgi.py change
........
2010-03-11 22:05:58 +00:00
Benjamin Peterson 894197d9f1 Merged revisions 78841-78842 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r78841 | benjamin.peterson | 2010-03-11 15:50:45 -0600 (Thu, 11 Mar 2010) | 1 line

  remove executable property from doc files
........
  r78842 | benjamin.peterson | 2010-03-11 15:53:25 -0600 (Thu, 11 Mar 2010) | 1 line

  use proper shebang lines
........
2010-03-11 21:55:56 +00:00
Philip Jenvey a394f2dca3 #4351: more appropriate DeprecationWarning stacklevels 2009-05-08 03:57:12 +00:00
Fred Drake 9a0a65b524 Merged revisions 67528 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r67528 | fred.drake | 2008-12-04 13:25:17 -0500 (Thu, 04 Dec 2008) | 4 lines

  Issue #1055234: cgi.parse_header(): Fixed parsing of header parameters to
  support unusual filenames (such as those containing semi-colons) in
  Content-Disposition headers.
........
2008-12-04 19:24:50 +00:00
Facundo Batista a27244bfa1 Added a warning filter to don't show the warning during
the tests. Also fixed the warning message in cgi.py
2008-09-09 02:43:19 +00:00
Facundo Batista c469d4c3aa Issue 600362: Relocated parse_qs() and parse_qsl(), from the cgi module
to the urlparse one.  Added a DeprecationWarning in the old module, it
will be deprecated in the future.  Docs and tests updated.
2008-09-03 22:49:01 +00:00
Benjamin Peterson dcf97b98ec Merged revisions 64434-64435,64440-64443,64445,64447-64448,64450,64452,64455,64461,64464,64466,64468 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r64434 | andrew.kuchling | 2008-06-20 18:13:58 -0500 (Fri, 20 Jun 2008) | 1 line

  Remove request for e-mail; it's unlikely these classes will be saved
........
  r64435 | andrew.kuchling | 2008-06-20 18:14:32 -0500 (Fri, 20 Jun 2008) | 1 line

  Grammar fixes
........
  r64440 | andrew.kuchling | 2008-06-21 08:29:12 -0500 (Sat, 21 Jun 2008) | 1 line

  Docstring typo
........
  r64441 | andrew.kuchling | 2008-06-21 08:47:20 -0500 (Sat, 21 Jun 2008) | 1 line

  Use repr() for bad input strings; this makes the empty string or binary characters more visible
........
  r64442 | andrew.kuchling | 2008-06-21 08:48:38 -0500 (Sat, 21 Jun 2008) | 1 line

  Docstring correction
........
  r64443 | georg.brandl | 2008-06-21 09:26:19 -0500 (Sat, 21 Jun 2008) | 2 lines

  Documentation fix.
........
  r64445 | facundo.batista | 2008-06-21 12:30:06 -0500 (Sat, 21 Jun 2008) | 3 lines


  Reviewed and updated the documentation. Fixes #3017.
........
  r64447 | facundo.batista | 2008-06-21 13:58:04 -0500 (Sat, 21 Jun 2008) | 6 lines


  Now a from submitted via POST that also has a query string
  will contain both FieldStorage and MiniFieldStorage items.

  Fixes #1817.
........
  r64448 | facundo.batista | 2008-06-21 14:48:19 -0500 (Sat, 21 Jun 2008) | 5 lines


  In the deprecated functions I added an alert to review
  specially a section of the subprocess documentation
  that helps with the replacing of those functionss.
........
  r64450 | georg.brandl | 2008-06-22 04:05:29 -0500 (Sun, 22 Jun 2008) | 2 lines

  Turn section references into proper cross-references.
........
  r64452 | facundo.batista | 2008-06-22 08:36:20 -0500 (Sun, 22 Jun 2008) | 5 lines


  Issue #2722. Now the char buffer to support the path string has
  not fixed length, it mallocs memory if needed. As a result, we
  don't have a maximum for the getcwd() method.
........
  r64455 | facundo.batista | 2008-06-22 10:27:10 -0500 (Sun, 22 Jun 2008) | 4 lines


  Issue 3164. Small fix to don't repeat a comparation
  without necessity.
........
  r64461 | georg.brandl | 2008-06-22 13:11:52 -0500 (Sun, 22 Jun 2008) | 2 lines

  #3085: Fix syntax error.
........
  r64464 | georg.brandl | 2008-06-22 13:31:54 -0500 (Sun, 22 Jun 2008) | 2 lines

  Expand docstrings of sqlite3 functions.
........
  r64466 | georg.brandl | 2008-06-22 14:07:59 -0500 (Sun, 22 Jun 2008) | 2 lines

  Write out "phi" consistently.
........
  r64468 | facundo.batista | 2008-06-22 14:35:24 -0500 (Sun, 22 Jun 2008) | 4 lines


  Just returning nothing instead of rising TestSkipped, because
  it makes the test fail in the trunk.loewis-sun buildbot.
........
2008-07-02 17:30:14 +00:00
Jeremy Hylton 1afc169616 Make a new urllib package .
It consists of code from urllib, urllib2, urlparse, and robotparser.
The old modules have all been removed.  The new package has five
submodules: urllib.parse, urllib.request, urllib.response,
urllib.error, and urllib.robotparser.  The urllib.request.urlopen()
function uses the url opener from urllib2.

Note that the unittests have not been renamed for the
beta, but they will be renamed in the future.

Joint work with Senthil Kumaran.
2008-06-18 20:49:58 +00:00
Benjamin Peterson ab82a97b73 remove a mimetools import 2008-06-12 17:36:10 +00:00
Barry Warsaw 820c120059 Patch for issue 2848, mostly by Humberto Diogenes, with a couple of
small fixes by Barry.  This removes mimetools from the stdlib.
2008-06-12 04:06:45 +00:00