This code in cgi.py makes no sense whatsoever:

842                 if line.endswith(b"--") and last_line_lfend:
843                     strippedline = line.strip()
844                     if strippedline == next_boundary:
845                         break
846                     if strippedline == last_boundary:
847                         self.done = 1
848                         break

(Pdb) p next_boundary
b'--testdata'
(Pdb) p last_boundary
b'--testdata--'
(Pdb) 

The net effect of this is that parsing a multipart with more than one file in it is impossible, as the first file's reader will gobble up the remainder of the input.

Patch attached.

I guess it's a safe bet that no sane person even uses cgi.py any more, otherwise this would have been discovered a bit sooner.

The patch has been applied some time ago (I couldn't find the exact commit), cf. https://github.com/python/cpython/blob/master/Lib/cgi.py#L750

I think we can close the issue.

The last status was "test-needed" -- has anyone verified that a test exists for this scenario?

@ethan.furman
Yes, in test_cgi.py, the method test_fieldstorage_multipart_w3c https://github.com/python/cpython/blob/master/Lib/test/test_cgi.py#L316) uses a multipart content with 2 files in it (https://github.com/python/cpython/blob/master/Lib/test/test_cgi.py#L579)

Excellent, thanks for checking!