01-14-07 06:13 AM
FieldStorage wrongly assumes boundary is last attribute in Content-Type head
ers value.
----------------------------------------------------------------------------
----------
Key: MODPYTHON-210
URL: https://issues.apache.org/jira/browse/MODPYTHON-210
Project: mod_python
Issue Type: Bug
Components: core
Affects Versions: 3.2.10, 3.3
Reporter: Graham Dumpleton
Mozilla can generate multipart content that looks like:
Content-Length: 522
Content-Type: multipart/related; boundary=---------------------------1359228
0651221337293469391600; type="application/xml"; start="<4c599da9.58c746e8@mo
zilla.org >"
Cookie: lang=1
This highlights an issue with util.FieldStorage in that it assumes that the
boundary attribute of the Content-Type header will always be the last thing
in the value. Ie., the code in FieldStorage is:
# figure out boundary
try:
i = ctype.lower().rindex("boundary=")
boundary = ctype[i+9:]
if len(boundary) >= 2 and boundary[0] == boundary[-1] == '"':
boundary = boundary[1:-1]
boundary = re.compile("--" + re.escape(boundary) + "(--)?\r?\n")
The FieldStorage code should correctly split out all attributes from the lin
e and then deal with list the boundary attribute by itself and not make assu
mptions about the order of attributes on the line. The code is also question
able depending on whether i
t is guaranteed by Apache that trailing space is striped from the value of h
eaders. If there is trailing white space it will interfere with the check fo
r whether the boundary is surrounded by quotes. Finally, does the specificat
ion for HTTP headers always
entail the use of a double quote as this is the only thing that is checked f
or?
[ Post a follow-up to this message ]
| 
