Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data

when \r\n appears at end of 65535 bytes without other newlines.

Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
when \r\n appears at end of 65535 bytes without other newlines.
e2cc341f · Serhiy Storchaka · a49dcc51 · e2cc341f · e2cc341f · e2cc341f
Kaydet (Commit) e2cc341f authored Haz 17, 2013 tarafından Serhiy Storchaka
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 0 deletions

cgi.py Lib/cgi.py +9 -0

test_cgi.py Lib/test/test_cgi.py +23 -0

NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/cgi.py
+++ b/Lib/cgi.py
@@ -697,6 +697,9 @@ class FieldStorage:
            if not line:
                self.done = -1
                break
+            if delim == "\r":
+                line = delim + line
+                delim = ""
            if line[:2] == "--" and last_line_lfend:
                strippedline = line.strip()
                if strippedline == next:
@@ -713,6 +716,12 @@ class FieldStorage:
                delim = "\n"
                line = line[:-1]
                last_line_lfend = True
+            elif line[-1] == "\r":
+                # We may interrupt \r\n sequences if they span the 2**16
+                # byte boundary
+                delim = "\r"
+                line = line[:-1]
+                last_line_lfend = False
            else:
                delim = ""
                last_line_lfend = False

--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -266,6 +266,29 @@ Content-Disposition: form-data; name="submit"
                got = getattr(fs.list[x], k)
                self.assertEqual(got, exp)
+    def test_fieldstorage_multipart_maxline(self):
+        # Issue #18167
+        maxline = 1 << 16
+        self.maxDiff = None
+        def check(content):
+            data = """
+---123
+Content-Disposition: form-data; name="upload"; filename="fake.txt"
+Content-Type: text/plain
+%s
+---123--
+""".replace('\n', '\r\n') % content
+            environ = {
+                'CONTENT_LENGTH':   str(len(data)),
+                'CONTENT_TYPE':     'multipart/form-data; boundary=-123',
+                'REQUEST_METHOD':   'POST',
+            }
+            self.assertEqual(gen_result(data, environ), {'upload': content})
+        check('x' * (maxline - 1))
+        check('x' * (maxline - 1) + '\r')
+        check('x' * (maxline - 1) + '\r' + 'y' * (maxline - 1))
    _qs_result = {
        'key1': 'value1',
        'key2': ['value2x', 'value2y'],

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@ Core and Builtins
 Library
 -------
+- Issue #18167: cgi.FieldStorage no more fails to handle multipart/form-data
+  when \r\n appears at end of 65535 bytes without other newlines.
 - Issue #17403: urllib.parse.robotparser normalizes the urls before adding to
  ruleline. This helps in handling certain types invalid urls in a conservative
  manner. Patch contributed by Mher Movsisyan.