Message 272655 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	martin.panter
Recipients	Chris.Waigl, Johannes.Hoff, ajaksu2, alexz, atommixz, barry, bgamari, catalin.iacob, catlee, cco3, checat, daniel.ugra, eric.araujo, forest_atq, fsteinel, gotgenes, guettli, jnoller, martin.panter, orsenthil, piotr.dobrogost, pitrou, r.david.murray, raylu, shazow, tamentis
Date	2016-08-14.07:37:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1471160272.04.0.159504543489.issue3244@psf.upfronthosting.co.za>
In-reply-to

Content
I think encoding the user’s IP address into the boundary is a bad idea. Forest’s version uses the existing “email” package, which calls random.randrange(sys.maxsize) and searches through the data for conflicts. I haven’t really researched this, but I suspect it would be even better to use a CSPRNG like the new “secrets” module, or uuid.uuid4(). Otherwise, perhaps there is the possibility of attacks by predicting the boundary and injecting HTTP headers, splitting up requests, etc via a file upload. Both Forest and Senthil’s patches look like they load all the data into memory, so would not be useful for streaming, which was the original request. Hence I am putting this back to “needs patch”. Issue 3243 has been resolved, meaning that we can stream upload data as long as the Content-Length has been pre-calculated. The length could be calculated based from the length of each piece (e.g. file sizes). Also, with Issue 12319 (chunked encoding) about to be resolved, if people only need to use HTTP 1.1, it may be easier to upload forms using chunked encoding, where you don’t have to worry about Content-Length.

I think encoding the user’s IP address into the boundary is a bad idea. Forest’s version uses the existing “email” package, which calls random.randrange(sys.maxsize) and searches through the data for conflicts.

I haven’t really researched this, but I suspect it would be even better to use a CSPRNG like the new “secrets” module, or uuid.uuid4(). Otherwise, perhaps there is the possibility of attacks by predicting the boundary and injecting HTTP headers, splitting up requests, etc via a file upload.

Both Forest and Senthil’s patches look like they load all the data into memory, so would not be useful for streaming, which was the original request. Hence I am putting this back to “needs patch”. Issue 3243 has been resolved, meaning that we can stream upload data as long as the Content-Length has been pre-calculated. The length could be calculated based from the length of each piece (e.g. file sizes).

Also, with Issue 12319 (chunked encoding) about to be resolved, if people only need to use HTTP 1.1, it may be easier to upload forms using chunked encoding, where you don’t have to worry about Content-Length.

History
Date	User	Action	Args
2016-08-14 07:37:52	martin.panter	set	recipients: + martin.panter, barry, guettli, orsenthil, pitrou, catlee, gotgenes, ajaksu2, jnoller, eric.araujo, forest_atq, fsteinel, r.david.murray, shazow, bgamari, daniel.ugra, alexz, tamentis, checat, catalin.iacob, Chris.Waigl, Johannes.Hoff, cco3, atommixz, piotr.dobrogost, raylu
2016-08-14 07:37:52	martin.panter	set	messageid: <1471160272.04.0.159504543489.issue3244@psf.upfronthosting.co.za>
2016-08-14 07:37:52	martin.panter	link	issue3244 messages
2016-08-14 07:37:51	martin.panter	create