| Graham Dumpleton (JIRA) 2007-01-14, 1:13 am |
| FieldStorage wrongly assumes boundary is last attribute in Content-Type headers value.
--------------------------------------------------------------------------------------
Key: MODPYTHON-210
URL: https://issues.apache.org/jira/browse/MODPYTHON-210
Project: mod_python
Issue Type: Bug
Components: core
Affects Versions: 3.2.10, 3.3
Reporter: Graham Dumpleton
Mozilla can generate multipart content that looks like:
Content-Length: 522
Content-Type: multipart/related; boundary=---------------------------13592280651221337293469391600; type="application/xml"; start="<4c599da9.58c746e8@mozilla.org >"
Cookie: lang=1
This highlights an issue with util.FieldStorage in that it assumes that the boundary attribute of the Content-Type header will always be the last thing in the value. Ie., the code in FieldStorage is:
# figure out boundary
try:
i = ctype.lower().rindex("boundary=")
boundary = ctype[i+9:]
if len(boundary) >= 2 and boundary[0] == boundary[-1] == '"':
boundary = boundary[1:-1]
boundary = re.compile("--" + re.escape(boundary) + "(--)?\r?\n")
The FieldStorage code should correctly split out all attributes from the line and then deal with list the boundary attribute by itself and not make assumptions about the order of attributes on the line. The code is also questionable depending on whether i
t is guaranteed by Apache that trailing space is striped from the value of headers. If there is trailing white space it will interfere with the check for whether the boundary is surrounded by quotes. Finally, does the specification for HTTP headers always
entail the use of a double quote as this is the only thing that is checked for?
|