From ad16471b27eca8e75dd63e633d1f443f88f94738 Mon Sep 17 00:00:00 2001 From: Guido van Rossum Date: Tue, 13 May 1997 19:03:23 +0000 Subject: [PATCH] Untested changes by Skip Montanaro to have an optional limit on the size of uploads to POST (new version of these patches). --- Lib/cgi.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Lib/cgi.py b/Lib/cgi.py index ccff834d2c5..7fa14426c0a 100755 --- a/Lib/cgi.py +++ b/Lib/cgi.py @@ -478,6 +478,10 @@ log = initlog # The current logging function # Parsing functions # ================= +# Maximum input we will accept when REQUEST_METHOD is POST +# 0 ==> unlimited input +maxlen = 0 + def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): """Parse a query in the environment or from a file (default stdin) @@ -508,6 +512,8 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): return parse_multipart(fp, pdict) elif ctype == 'application/x-www-form-urlencoded': clength = string.atoi(environ['CONTENT_LENGTH']) + if maxlen and clength > maxlen: + raise ValueError, 'Maximum content length exceeded' qs = fp.read(clength) else: qs = '' # Unknown content-type @@ -610,6 +616,8 @@ def parse_multipart(fp, pdict): except string.atoi_error: pass if bytes > 0: + if maxlen and bytes > maxlen: + raise ValueError, 'Maximum content length exceeded' data = fp.read(bytes) else: data = "" @@ -829,6 +837,8 @@ class FieldStorage: clen = string.atoi(self.headers['content-length']) except: pass + if maxlen and clen > maxlen: + raise ValueError, 'Maximum content length exceeded' self.length = clen self.list = self.file = None @@ -1186,6 +1196,19 @@ def test(environ=os.environ): except: print_exception() + # Second try with a small maxlen... + global maxlen + maxlen = 50 + try: + form = FieldStorage() # Replace with other classes to test those + print_form(form) + print_environ(environ) + print_directory() + print_arguments() + print_environ_usage() + except: + print_exception() + def print_exception(type=None, value=None, tb=None, limit=None): if type is None: type, value, tb = sys.exc_type, sys.exc_value, sys.exc_traceback