Uploaded image for project: 'mod_python'
  1. mod_python
  2. MODPYTHON-159

multiline headers in multipart/form not handled

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.4, 3.2.8
    • Fix Version/s: 3.3.1
    • Component/s: core
    • Labels:
      None

      Description

      Reported a long time back on mailing list that multiline headers in a multipart/form post are not handled properly by util.FieldStorage class.

      http://www.modpython.org/pipermail/mod_python/2001-November/012256.html

      This seems to never have been addressed. Further comments confirming this posted in:

      http://www.mail-archive.com/python-dev@httpd.apache.org/msg01805.html

        Activity

        Hide
        grahamd Graham Dumpleton added a comment -

        Another candidate for 3.3. Fix should be pretty simple, just need to adapt the original proposed change as posted on mailing list back in 2001.

        Show
        grahamd Graham Dumpleton added a comment - Another candidate for 3.3. Fix should be pretty simple, just need to adapt the original proposed change as posted on mailing list back in 2001.
        Hide
        grahamd Graham Dumpleton added a comment -

        Does this patch seem correct for current implementation of util.FieldStorage?

        Index: lib/python/mod_python/util.py
        ===================================================================
        — lib/python/mod_python/util.py (revision 442143)
        +++ lib/python/mod_python/util.py (working copy)
        @@ -174,6 +174,10 @@

        skip_this_part = False
        while line not in ('\r','\r\n'):
        + nextline = req.readline(readBlockSize)
        + while nextline and nextline[0] in [ ' ', '\t']:
        + line = line + nextline
        + nextline = req.readline(readBlockSize)

        1. we read the headers until we reach an empty line
        2. NOTE : a single \n would mean the entity is malformed, but
        3. we're tolerating it anyway
          @@ -192,7 +196,7 @@
          if ctype.find('/') == -1:
          ctype = 'application/octet-stream'
        • line = req.readline(readBlockSize)
          + line = nextline
          match = boundary.match(line)
          if (not line) or match:
        1. we stop if we reached the end of the stream or a stop boundary
        Show
        grahamd Graham Dumpleton added a comment - Does this patch seem correct for current implementation of util.FieldStorage? Index: lib/python/mod_python/util.py =================================================================== — lib/python/mod_python/util.py (revision 442143) +++ lib/python/mod_python/util.py (working copy) @@ -174,6 +174,10 @@ skip_this_part = False while line not in ('\r','\r\n'): + nextline = req.readline(readBlockSize) + while nextline and nextline [0] in [ ' ', '\t']: + line = line + nextline + nextline = req.readline(readBlockSize) we read the headers until we reach an empty line NOTE : a single \n would mean the entity is malformed, but we're tolerating it anyway @@ -192,7 +196,7 @@ if ctype.find('/') == -1: ctype = 'application/octet-stream' line = req.readline(readBlockSize) + line = nextline match = boundary.match(line) if (not line) or match: we stop if we reached the end of the stream or a stop boundary
        Hide
        grahamd Graham Dumpleton added a comment -

        Indenting got stuffed up when pasted in for some reason. Have attached possible patch instead.

        Show
        grahamd Graham Dumpleton added a comment - Indenting got stuffed up when pasted in for some reason. Have attached possible patch instead.

          People

          • Assignee:
            grahamd Graham Dumpleton
            Reporter:
            grahamd Graham Dumpleton
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development