Commit Graph

105 Commits

Author SHA1 Message Date
matthewbelisle-wf bc6f74a520 bpo-34866: Add max_num_fields to cgi.FieldStorage (GH-9660) (GH-9969)
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.

(cherry picked from commit 209144831b)
2018-10-30 22:16:26 +01:00
Martin Panter b1d867f149 Issue #27076: Doc, comment and test function name spelling fixes
Most fixes to Doc/ and Lib/ directories by Ville Skyttä.
2016-05-26 05:28:50 +00:00
Serhiy Storchaka e2cc341ffa Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
when \r\n appears at end of 65535 bytes without other newlines.
2013-06-17 16:33:48 +03:00
Ezio Melotti 94704fc25b #16765: remove unused import. 2012-12-25 14:25:47 +02:00
Senthil Kumaran 59a06d412d Fix closes Issue12529 - cgi.parse_header failure on double quotes and
semicolons. Patch by Ben Darnell and Petri Lehtinen.
2011-10-20 00:52:24 +08:00
Senthil Kumaran a5ba05cd31 Merged revisions 83901 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r83901 | senthil.kumaran | 2010-08-10 01:31:35 +0530 (Tue, 10 Aug 2010) | 3 lines

  Fix Issue7007 -  Use percent-encoded consistently instead of URL Encoded variations. Changes in Modules.
........
2010-08-09 20:18:04 +00:00
Florent Xicluna 78c1871d21 Fix and check cgi module deprecation warnings. Revert an unwanted rename in test_import. 2010-03-17 20:05:11 +00:00
Benjamin Peterson afa595b31b revert r78842 cgi.py change 2010-03-11 22:03:45 +00:00
Benjamin Peterson 651bc32a4e use proper shebang lines 2010-03-11 21:53:25 +00:00
Ezio Melotti ef4909643d #7092: silence more -3 and -Wd warnings 2010-01-31 11:46:54 +00:00
Philip Jenvey d846f1d4c2 #4351: more appropriate DeprecationWarning stacklevels 2009-05-08 02:28:39 +00:00
Fred Drake 5248103ef9 Issue #1055234: cgi.parse_header(): Fixed parsing of header parameters to
support unusual filenames (such as those containing semi-colons) in
Content-Disposition headers.
2008-12-04 18:25:17 +00:00
Facundo Batista ace0bcf669 Issue 3801. Fixing a dumb error in the deprecated parse_qsl()
function.  Tests added.
2008-09-08 00:20:28 +00:00
Facundo Batista c585df9476 Issue 600362: Relocated parse_qs() and parse_qsl(), from the cgi module
to the urlparse one.  Added a PendingDeprecationWarning in the old
module, it will be deprecated in the future.  Docs and tests updated.
2008-09-03 22:35:50 +00:00
Brett Cannon 1eaf0742d8 Move test.test_support.catch_warning() to the warnings module, rename it
catch_warnings(), and clean up the API.

While expanding the test suite, a bug was found where a warning about the
'line' argument to showwarning() was not letting functions with '*args' go
without a warning.

Closes issue 3602.
Code review by Benjamin Peterson.
2008-09-02 01:25:16 +00:00
Brett Cannon 721b1457a0 Silence DeprecationWarning raised by mimetools and rfc822 in cgi. 2008-08-16 22:00:27 +00:00
Facundo Batista a6a4d50efe Now a from submitted via POST that also has a query string
will contain both FieldStorage and MiniFieldStorage items.

Fixes #1817.
2008-06-21 18:58:04 +00:00
Georg Brandl aff85e2d26 Patch #1541463: optimize performance of cgi.FieldStorage operations. 2007-09-20 16:06:07 +00:00
Georg Brandl 05b3c450a8 Bug #1457823: cgi.(Sv)FormContentDict's constructor now takes
keep_blank_values and strict_parsing keyword arguments.
2006-09-30 10:58:01 +00:00
Guido van Rossum 9568b738ec Chris McDonough's patch to defend against certain DoS attacks on FieldStorage.
SF bug #1112549.
2006-08-10 17:41:07 +00:00
Armin Rigo 3a703b6059 Reverted revision 1.83, which introduced a bug and subtle incompatibility
issues.  See bug #1112856.
2005-09-19 09:11:04 +00:00
Skip Montanaro 97b2fa229c Bring cgi.escape docstring slightly more in line with the library ref
manual.  Closes #1243553.
2005-08-02 02:50:25 +00:00
Johannes Gijsbers c7fc10a418 Patch #1079734: remove dependencies on (deprecated) rfc822 and mimetools
modules, replacing with email. Thanks to Josh Hoyt for the patch!
2005-01-08 13:56:36 +00:00
Raymond Hettinger f871d833dd Remove some lambdas. 2004-12-31 21:59:02 +00:00
Raymond Hettinger a617271dbd Use cStringIO where available. 2004-12-31 19:15:26 +00:00
Johannes Gijsbers 9e15dd6861 Let cgi.parse_header() properly unquote headers (patch #1008597). 2004-08-14 15:39:34 +00:00
Neil Schemenauer 66edb6295f Don't return spurious empty fields if 'keep_empty_values' is True.
Fixes SF bug #990307.
2004-07-19 15:38:11 +00:00
Brett Cannon 8d9b60f102 Change parse_qsl() to accept control-name's with no equal sign (e.g., "name")
when keep_blank_values is true.
2004-03-21 22:16:15 +00:00
Walter Dörwald 70a6b49821 Replace backticks with repr() or "%r"
From SF patch #852334.
2004-02-12 17:35:32 +00:00
Guido van Rossum 68468eba63 Get rid of many apply() calls. 2003-02-27 20:14:51 +00:00
Guido van Rossum 4061cbee9c Patch suggested by Hamish Lawson: add an __iter__() that returns
iter(self.keys()).
2002-09-11 18:20:34 +00:00
Raymond Hettinger 46ac8eb3c8 Code modernization. Replace v=s[i]; del s[i] with single lookup v=s.pop(i) 2002-06-30 03:39:14 +00:00
Raymond Hettinger 54f0222547 SF 563203. Replaced 'has_key()' with 'in'. 2002-06-01 14:18:47 +00:00
Raymond Hettinger a144900b86 Use is None rather than general boolean 2002-05-31 23:54:44 +00:00
Tim Peters bc0e910826 Convert a pile of obvious "yes/no" functions to return bool. 2002-04-04 22:55:58 +00:00
Skip Montanaro db5d1444a1 tighten up except - only ValueError can be raised in this situation 2002-03-23 05:50:17 +00:00
Neal Norwitz 7fd41ccdb1 SF #515006, remove unnecessary import 2002-02-11 17:57:55 +00:00
Fred Drake 4c85da4d16 "ib" should be "boundary"; reported by Neal Norwitz. 2001-10-13 18:38:53 +00:00
Guido van Rossum 1bfb388d86 Class FieldStorage: add two new methods, getfirst() and getlist(),
that provide a somewhat more uniform interface to getting values.

This is from SF patch #453691.
2001-09-05 19:45:34 +00:00
Tim Peters ab9ba27dc0 Whitespace normalization. 2001-08-09 21:40:30 +00:00
Guido van Rossum 2e441f7836 Fix a denial-of-service attack, SF bug #443120.
Code by Evan Simpson.
2001-07-25 21:00:19 +00:00
Guido van Rossum 52b8c29ca7 Solve SF bug #231249: cgi.py opens too many (temporary) files.
class FieldStorage: this patch changes read_lines() and co. to use a
StringIO() instead of a real file.  The write() calls are redirected
to a private method that replaces it with a real, external file only
when it gets too big (> 1000 bytes).

This avoids problems in forms using the multipart/form-data encoding
with many fields.  The original code created a temporary file for
*every* field (not just for file upload fields), thereby sometimes
exceeding the open file limit of some systems.

Note that the simpler solution "use a real file only for file uploads"
can't be used because the form field parser has no way to tell which
fields correspond to file uploads.

It's *possible* but extremely unlikely that this would break someone's
code; they would have to be stepping way outside the documented
interface for FieldStorage and use f.file.fileno(), or depend on
overriding make_file() to return a file-like object with additional
known properties.
2001-06-29 13:06:06 +00:00
Guido van Rossum a8423a95b8 Add a whole lot of stuff to __all__.
(Excluding the logging stuff, which doesn't lend itself to use via
"from cgi import *" -- it manipulates globals.)
2001-03-19 13:40:44 +00:00
Skip Montanaro ff443a51eb added missing element to __all__ 2001-02-28 01:03:48 +00:00
Guido van Rossum 467d723bd7 Added a comment explaining why this file must really have #!
/usr/local/bin/python and not #! /usr/bin/env python.
2001-02-13 13:13:33 +00:00
Eric S. Raymond 7e9b4f58b6 String method conversion. 2001-02-09 09:59:10 +00:00
Skip Montanaro e99d5ea25b added __all__ lists to a number of Python modules
added test script and expected output file as well
this closes patch 103297.
__all__ attributes will be added to other modules without first submitting
a patch, just adding the necessary line to the test script to verify
more-or-less correct implementation.
2001-01-20 19:54:20 +00:00
Tim Peters 88869f9787 Whitespace normalization. 2001-01-14 23:36:06 +00:00
Guido van Rossum 7dd06966cb Make Traceback header conform to new traceback ("innermost last" ->
"most recent call last").
2000-12-27 19:12:58 +00:00
Barry Warsaw 7fed217515 This fixes several bug reports concering memory bloating during large
file uploads.

In response to SF bugs 110674 and 119806, and discussions on
python-dev, we are removing the self.lines attribute from the
FieldStorage class.  Specifically touched where methods __init__(),
read_lines_to_eof(), and skip_lines().

No one can remember why self.lines was added.  Technically, it's part
of the public interface for the class, but it was never documented.
It's possible clever or nosy code will break because of this, but it
was decided to remove it and see who complains.

This resolution also closes the second half of the cgi.py entry in PEP
42.  The first half of that PEP concerns specifically binary file
uploads, where there may be no end-of-line marker for a very long
time.  This patch does not address that issue.
2000-11-06 18:46:09 +00:00