From d90f8d10e088657593fa753ecacab95845d378aa Mon Sep 17 00:00:00 2001 From: Donald Stufft Date: Sun, 29 Mar 2015 16:43:23 -0400 Subject: [PATCH] Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage --- Lib/cgi.py | 9 +++++++-- Lib/test/test_cgi.py | 19 +++++++++++++++++++ Misc/NEWS | 3 +++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Lib/cgi.py b/Lib/cgi.py index 1ef780c11c4..6959c9e5dbd 100755 --- a/Lib/cgi.py +++ b/Lib/cgi.py @@ -693,8 +693,13 @@ class FieldStorage: raise ValueError("%s should return bytes, got %s" \ % (self.fp, type(first_line).__name__)) self.bytes_read += len(first_line) - # first line holds boundary ; ignore it, or check that - # b"--" + ib == first_line.strip() ? + + # Ensure that we consume the file until we've hit our inner boundary + while (first_line.strip() != (b"--" + self.innerboundary) and + first_line): + first_line = self.fp.readline() + self.bytes_read += len(first_line) + while True: parser = FeedParser() hdr_text = b"" diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py index 1127dd12e6d..d2c326bfb20 100644 --- a/Lib/test/test_cgi.py +++ b/Lib/test/test_cgi.py @@ -248,6 +248,25 @@ class CgiTests(unittest.TestCase): got = getattr(fs.list[x], k) self.assertEqual(got, exp) + def test_fieldstorage_multipart_leading_whitespace(self): + env = { + 'REQUEST_METHOD': 'POST', + 'CONTENT_TYPE': 'multipart/form-data; boundary={}'.format(BOUNDARY), + 'CONTENT_LENGTH': '560'} + # Add some leading whitespace to our post data that will cause the + # first line to not be the innerboundary. + fp = BytesIO(b"\r\n" + POSTDATA.encode('latin-1')) + fs = cgi.FieldStorage(fp, environ=env, encoding="latin-1") + self.assertEqual(len(fs.list), 4) + expect = [{'name':'id', 'filename':None, 'value':'1234'}, + {'name':'title', 'filename':None, 'value':''}, + {'name':'file', 'filename':'test.txt', 'value':b'Testing 123.\n'}, + {'name':'submit', 'filename':None, 'value':' Add '}] + for x in range(len(fs.list)): + for k, exp in expect[x].items(): + got = getattr(fs.list[x], k) + self.assertEqual(got, exp) + def test_fieldstorage_multipart_non_ascii(self): #Test basic FieldStorage multipart parsing env = {'REQUEST_METHOD':'POST', diff --git a/Misc/NEWS b/Misc/NEWS index 9852102f903..48d1801b0c1 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -124,6 +124,9 @@ Library - Issue #23361: Fix possible overflow in Windows subprocess creation code. +- Issue #23801: Fix issue where cgi.FieldStorage did not always ignore the + entire preamble to a multipart body. + Tests -----