Author Marcel Hellkamp
Recipients Marcel Hellkamp
Date 2016-06-13.18:45:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1465843531.5.0.166620691183.issue27308@psf.upfronthosting.co.za>
In-reply-to
Content
Discovered here: https://github.com/bottlepy/bottle/issues/856

If a multipart section has a "Content-Length" header, but no "filename" attribute in the "Content-Disposition" header, cgi.FieldStorage tries to write binary data to a temporary file opened in text-mode.

The problem here is that cgi.FieldStorage tries to decide if something is a binary file-upload or a unicode form-field, but it does so based on two different headers in two different places. If the headers contradict each other (form-fields usually don't have a Content-Length, file-uploads usually have a filename), parsing breaks with a TypeError.

Unfortunately, there are some HTTP client libraries out there that trigger this bug.



Here is what happens:

A "Content-Length" header causes `cgi.FieldStorage.length` to be is set (which is fine).
https://hg.python.org/cpython/file/3.4/Lib/cgi.py#l550

If `length` has a value, `read_binary()` is used instead of `read_lines()` (which is questionable).
https://hg.python.org/cpython/file/3.4/Lib/cgi.py#l733

`read_binary()` calls `make_file()` which creates the buffer file in text mode if it does not find a `filename` attribute in the "Content-Disposition" Header (which is somewhat okay).
https://hg.python.org/cpython/file/3.4/Lib/cgi.py#l515
https://hg.python.org/cpython/file/3.4/Lib/cgi.py#l893

The bug is triggered if the last two steps disagree on the bytes vs. text question.
History
Date User Action Args
2016-06-13 18:45:31Marcel Hellkampsetrecipients: + Marcel Hellkamp
2016-06-13 18:45:31Marcel Hellkampsetmessageid: <1465843531.5.0.166620691183.issue27308@psf.upfronthosting.co.za>
2016-06-13 18:45:31Marcel Hellkamplinkissue27308 messages
2016-06-13 18:45:31Marcel Hellkampcreate