Commit Graph

66 Commits

Author SHA1 Message Date
Tim Peters ab9ba27dc0 Whitespace normalization. 2001-08-09 21:40:30 +00:00
Guido van Rossum 2e441f7836 Fix a denial-of-service attack, SF bug #443120.
Code by Evan Simpson.
2001-07-25 21:00:19 +00:00
Guido van Rossum 52b8c29ca7 Solve SF bug #231249: cgi.py opens too many (temporary) files.
class FieldStorage: this patch changes read_lines() and co. to use a
StringIO() instead of a real file.  The write() calls are redirected
to a private method that replaces it with a real, external file only
when it gets too big (> 1000 bytes).

This avoids problems in forms using the multipart/form-data encoding
with many fields.  The original code created a temporary file for
*every* field (not just for file upload fields), thereby sometimes
exceeding the open file limit of some systems.

Note that the simpler solution "use a real file only for file uploads"
can't be used because the form field parser has no way to tell which
fields correspond to file uploads.

It's *possible* but extremely unlikely that this would break someone's
code; they would have to be stepping way outside the documented
interface for FieldStorage and use f.file.fileno(), or depend on
overriding make_file() to return a file-like object with additional
known properties.
2001-06-29 13:06:06 +00:00
Guido van Rossum a8423a95b8 Add a whole lot of stuff to __all__.
(Excluding the logging stuff, which doesn't lend itself to use via
"from cgi import *" -- it manipulates globals.)
2001-03-19 13:40:44 +00:00
Skip Montanaro ff443a51eb added missing element to __all__ 2001-02-28 01:03:48 +00:00
Guido van Rossum 467d723bd7 Added a comment explaining why this file must really have #!
/usr/local/bin/python and not #! /usr/bin/env python.
2001-02-13 13:13:33 +00:00
Eric S. Raymond 7e9b4f58b6 String method conversion. 2001-02-09 09:59:10 +00:00
Skip Montanaro e99d5ea25b added __all__ lists to a number of Python modules
added test script and expected output file as well
this closes patch 103297.
__all__ attributes will be added to other modules without first submitting
a patch, just adding the necessary line to the test script to verify
more-or-less correct implementation.
2001-01-20 19:54:20 +00:00
Tim Peters 88869f9787 Whitespace normalization. 2001-01-14 23:36:06 +00:00
Guido van Rossum 7dd06966cb Make Traceback header conform to new traceback ("innermost last" ->
"most recent call last").
2000-12-27 19:12:58 +00:00
Barry Warsaw 7fed217515 This fixes several bug reports concering memory bloating during large
file uploads.

In response to SF bugs 110674 and 119806, and discussions on
python-dev, we are removing the self.lines attribute from the
FieldStorage class.  Specifically touched where methods __init__(),
read_lines_to_eof(), and skip_lines().

No one can remember why self.lines was added.  Technically, it's part
of the public interface for the class, but it was never documented.
It's possible clever or nosy code will break because of this, but it
was decided to remove it and see who complains.

This resolution also closes the second half of the cgi.py entry in PEP
42.  The first half of that PEP concerns specifically binary file
uploads, where there may be no end-of-line marker for a very long
time.  This patch does not address that issue.
2000-11-06 18:46:09 +00:00
Guido van Rossum 5191463276 Undo Ping's change.
CGI scripts should *not* use /usr/bin/env, since on systems that don't
come standard with Python installed, Python isn't on the default $PATH.

Too bad that this breaks on Linux, where Python is in /usr/bin which
is on the default path -- the point is that you must manually edit
your CGI scripts when you install them.
2000-10-03 13:51:09 +00:00
Ka-Ping Yee 099e534fa4 Change first line to #!/usr/bin/env python (really just to test check-in). 2000-10-03 08:32:00 +00:00
Guido van Rossum a3c6a8a30e Patch #101121, by Ka-Ping Yee: cosmetic cleanup of cgi.py, using my
style conventions.  (Ping has checkin privileges but apparently
ignores them at the moment.)

Ping improves a few doc strings and fixes style violations like foo ( bar ).

An addition of my own: rearrange the printing of various items in
test() so that the (long) environment comes at the end.  This avoids
having to scroll if you want to see the current directory or command
line arguments.
2000-09-19 04:11:46 +00:00
Guido van Rossum 57d51f2f1d Improve the test output a bit. 2000-09-16 21:16:01 +00:00
Jeremy Hylton afde7e24b6 fix bug #110661 (PR#356) -- accept either & or ; as separator for CGI
query string
also some doc string reformatting and use of string methods instead of
    older string.splitfields
2000-09-15 20:06:57 +00:00
Moshe Zadka a1a4b5916b Closing patch #101120 -- After everyone agreed. 2000-08-25 21:47:56 +00:00
Jeremy Hylton c253d9a623 Remove very long doc string (it's all in the docs)
Modify parse_qsl to interpret 'a=b=c' as key 'a' and value 'b=c'
(which matches Perl's CGI.pm)
2000-08-03 20:57:44 +00:00
Thomas Wouters 7e47402264 Spelling fixes supplied by Rob W. W. Hooft. All these are fixes in either
comments, docstrings or error messages. I fixed two minor things in
test_winreg.py ("didn't" -> "Didn't" and "Didnt" -> "Didn't").

There is a minor style issue involved: Guido seems to have preferred English
grammar (behaviour, honour) in a couple places. This patch changes that to
American, which is the more prominent style in the source. I prefer English
myself, so if English is preferred, I'd be happy to supply a patch myself ;)
2000-07-16 12:04:32 +00:00
Guido van Rossum 98d9fd3e68 Simple changes by Gerrit Holl - move author acknowledgements out of
docstrings into comments.
2000-02-28 15:12:25 +00:00
Guido van Rossum 3af7b050a3 Fix a broken r.append(name, value) call, spotted by Tim. 2000-02-25 11:44:03 +00:00
Guido van Rossum 60a3bd8130 After more discussion with Jim, change the behavior so that only a
*missing* content-type at the outer level of a POST defaults to
urlencoded.  In all other circumstances, the default is read_singe().
1999-06-11 18:26:09 +00:00
Guido van Rossum 1946f0d6f2 Patch by Jim Fulton: new function parse_qsl(), which is like
parse_qs() but returns a list of (name, value) pairs -- which is
actually more correct.  Use this where it makes sense.
1999-06-04 17:54:39 +00:00
Guido van Rossum ce900defc5 At Jim Fulton's request (actually, as a compromise :-), default the
content-type to application/x-www-form-urlencoded only when the method
is POST.  Ditto for when the content-type is unrecognized -- only
fall back to urlencoded with POST.
1999-06-02 18:44:22 +00:00
Barry Warsaw 302331a3b6 FieldStorage.__init__(): if there is no content-type header, use
text/plain for inner parts, but application/x-www-form-urlencoded
for outer parts.  Honor any existing content-type header.

Lower down, if the content-type header is something we don't
understand (say because it there was a typo in the header coming from
the client), default to text/plain for inner parts, but
application/x-www-form-urlencoded for outer parts.
1999-01-08 17:42:03 +00:00
Guido van Rossum 030d2ec16c In read_multi, allow a subclass to override the class we instantiate
when we create a recursive instance, by setting the class variable
'FieldStorageClass' to the desired class.  By default, this is set to
None, in which case we use self.__class__ (as before).
1998-12-09 22:16:46 +00:00
Guido van Rossum f5745008d2 Patch by Jim Fulton, who writes:
"""
The FieldStorage constructor calls the read_multi method.  The read_multi
method creates new FieldStorage objects, re-invoking the constructor
(on the new objects).  The problem is that the 'environ', 'keep_blank_values',
and 'strict_parsing' arguments originally passed to the constructor are not
propigated to the new object constructors.  This causes os.environ to be used,
leading to a miss-handling of the parts.

I fixed this by passing these arguments to read_multi and then on to the
constructor.  See the context diff below.
"""
1998-10-20 14:43:02 +00:00
Guido van Rossum 01852838f3 Treat "HEAD" same as "GET", so that CGI scripts won't fail. 1998-06-25 02:40:17 +00:00
Guido van Rossum cff311aa37 Be more careful than the previous patch. The default content-type
should only be set to application/x-www-form-urlencoded when the
method is POST.  E.g. for PUT, an empty default (defaulting to
text/plain later) makes more sense.
1998-06-11 14:06:59 +00:00
Guido van Rossum dd47ec98e2 Default content-type to application/x-www-form-urlencoded at the top
level of a form.  This means that browsers that omit the content-type
header when sending a POST command aren't penalized so heavily.
1998-06-09 19:49:16 +00:00
Guido van Rossum b1b4f94527 Make Tim O'Malley's requested change: in FieldStorage.__init__(), when
method='GET', always get the query string from environ['QUERY_STRING']
or sys.argv[1] -- ignore an explicitly passed in fp.
1998-05-08 19:55:51 +00:00
Guido van Rossum 45e2fbc2e7 Mass check-in after untabifying all files that need it. 1998-03-26 21:13:24 +00:00
Guido van Rossum 00f9fea288 Use string.replace instead of regsub.[g]sub. 1997-12-24 21:18:41 +00:00
Guido van Rossum f15d15964b Use sys.exc_info() where needed. 1997-09-29 23:22:12 +00:00
Guido van Rossum a5e9fb6a65 Changes suggested by Jim fulton:
- Moved most imports to the top, for faster loadingf when using ni.
- Always open the temp file in binary mode.
1997-08-12 18:18:13 +00:00
Guido van Rossum 64c6620934 Add optional 'quote' flag argument to escape(); if true, translate '"'
to '"'.
1997-07-19 20:11:53 +00:00
Guido van Rossum d7c9d96d3e Tweak default source of query a bit so it is possible to invoke
a CGI script from the command line with not environment variables.
1997-05-28 15:39:15 +00:00
Guido van Rossum 4305542517 Reworded the doc string to remove the need for The Emacs font-lock kludge.
This required (re)moving all occurrences of '(' in column 0, as well
as changing "#!" to #!.
1997-05-28 15:11:01 +00:00
Guido van Rossum ad16471b27 Untested changes by Skip Montanaro to have an optional limit on the
size of uploads to POST (new version of these patches).
1997-05-13 19:03:23 +00:00
Guido van Rossum 5f32248d56 From: Clarence Gardner <clarence@king.silcom.com>
The function parse_qs currently calls urllib.unquote on the
value of the field submitted, but not on the name.  It needs
to do both.
1997-04-11 18:20:42 +00:00
Guido van Rossum 152f9d9663 Put back #! /usr/local/bin/python. For cgi scripts, /usr/bin/env is
unlikely to find a python binary, as /usr/local/bin is usually not on
the default search path.
1997-02-18 16:55:33 +00:00
Guido van Rossum 88b85d4f63 Add __len__ method 1997-01-11 19:21:33 +00:00
Guido van Rossum f06ee5fa07 /usr/local/bin/python -> /usr/bin/env python 1996-11-27 19:52:01 +00:00
Guido van Rossum e08c04c387 Added 'strict_parsing' option to all parsing functions. This causes a
ValueError exception when the query string contains fields that don't
contain exactly one '=' sign.  (By default, such fields are simply
ignored.)  Added this to the doc string describing parse() and
parse_qs().

Also changed the default for keep_blank_values from None to 0 (the
preferred way to spell 'FALSE').
1996-11-11 19:29:11 +00:00
Guido van Rossum 16d5b113f6 Fix truncated paragraph in doc string.
Bump version to 2.0.
1996-10-24 14:44:32 +00:00
Guido van Rossum c204c70c1a Added logging support. 1996-09-05 19:07:11 +00:00
Guido van Rossum e5e46e0d29 Fixed embarrassing logic bug in read_lines_to_outerboundary(). 1996-09-05 19:03:36 +00:00
Guido van Rossum 9e3f42909a Emacs font-lock de-bogo-kludgificocity 1996-08-26 15:46:13 +00:00
Guido van Rossum f85de8a440 Added print_exception() convenience function. 1996-08-20 20:22:39 +00:00
Guido van Rossum afb5e93e77 For method=POST, append a query string from the environment or from
sys.argv[1], effectively merging the fields.
1996-08-08 18:42:12 +00:00