(Merge 3.5) cgi.FieldStorage.read_multi ignores Content-Length

Issue #24764: cgi.FieldStorage.read_multi() now ignores the Content-Length header in part headers. Patch written by Peter Landry and reviewed by Pierre Quentel.
author: Victor Stinner <victor.stinner@gmail.com> 2015-08-18 17:23:48 (GMT)
committer: Victor Stinner <victor.stinner@gmail.com> 2015-08-18 17:23:48 (GMT)
commit: 7a0eadc6d5aea200e4b24c658b9a07ed30ee7452 (patch)
tree: 4725e5500eff2a7ca763caf14726d6a969a2cd5f
parent: 501b4a73980d363fca3a69d5999d377f3ae5cc3f (diff)
parent: 1e26dc7ef60c19f57e779bb1f7906e446d71d343 (diff)
download: cpython-7a0eadc6d5aea200e4b24c658b9a07ed30ee7452.zip
cpython-7a0eadc6d5aea200e4b24c658b9a07ed30ee7452.tar.gz
cpython-7a0eadc6d5aea200e4b24c658b9a07ed30ee7452.tar.bz2
4 files changed, 28 insertions, 0 deletions
diff --git a/Lib/cgi.py b/Lib/cgi.py
index 4be28ba..26d2544 100755
--- a/Lib/cgi.py
+++ b/Lib/cgi.py
@@ -720,6 +720,11 @@ class FieldStorage:
             self.bytes_read += len(hdr_text)
             parser.feed(hdr_text.decode(self.encoding, self.errors))
             headers = parser.close()
+
+            # Some clients add Content-Length for part headers, ignore them
+            if 'content-length' in headers:
+                del headers['content-length']
+
             part = klass(self.fp, headers, ib, environ, keep_blank_values,
                          strict_parsing,self.limit-self.bytes_read,
                          self.encoding, self.errors)
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
index a7a9d02..ab9f6ab 100644
--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -326,6 +326,24 @@ Content-Type: text/plain
                 got = getattr(files[x], k)
                 self.assertEqual(got, exp)
 
+    def test_fieldstorage_part_content_length(self):
+        BOUNDARY = "JfISa01"
+        POSTDATA = """--JfISa01
+Content-Disposition: form-data; name="submit-name"
+Content-Length: 5
+
+Larry
+--JfISa01"""
+        env = {
+            'REQUEST_METHOD': 'POST',
+            'CONTENT_TYPE': 'multipart/form-data; boundary={}'.format(BOUNDARY),
+            'CONTENT_LENGTH': str(len(POSTDATA))}
+        fp = BytesIO(POSTDATA.encode('latin-1'))
+        fs = cgi.FieldStorage(fp, environ=env, encoding="latin-1")
+        self.assertEqual(len(fs.list), 1)
+        self.assertEqual(fs.list[0].name, 'submit-name')
+        self.assertEqual(fs.list[0].value, 'Larry')
+
     def test_fieldstorage_as_context_manager(self):
         fp = BytesIO(b'x' * 10)
         env = {'REQUEST_METHOD': 'PUT'}
diff --git a/Misc/ACKS b/Misc/ACKS
index a5d51b8..e1b310c 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -795,6 +795,7 @@ Thomas Lamb
 Valerie Lambert
 Jean-Baptiste "Jiba" Lamy
 Ronan Lamy
+Peter Landry
 Torsten Landschoff
 Łukasz Langa
 Tino Lange
diff --git a/Misc/NEWS b/Misc/NEWS
index acf0442..b2ec4f9 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -22,6 +22,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #24764: cgi.FieldStorage.read_multi() now ignores the Content-Length
+  header in part headers. Patch written by Peter Landry and reviewed by Pierre
+  Quentel.
+
 - Issue #24774: Fix docstring in http.server.test. Patch from Chiu-Hsiang Hsu.
 
 - Issue #21159: Improve message in configparser.InterpolationMissingOptionError.
author	Victor Stinner <victor.stinner@gmail.com>	2015-08-18 17:23:48 (GMT)
committer	Victor Stinner <victor.stinner@gmail.com>	2015-08-18 17:23:48 (GMT)
commit	7a0eadc6d5aea200e4b24c658b9a07ed30ee7452 (patch)
tree	4725e5500eff2a7ca763caf14726d6a969a2cd5f
parent	501b4a73980d363fca3a69d5999d377f3ae5cc3f (diff)
parent	1e26dc7ef60c19f57e779bb1f7906e446d71d343 (diff)
download	cpython-7a0eadc6d5aea200e4b24c658b9a07ed30ee7452.zip cpython-7a0eadc6d5aea200e4b24c658b9a07ed30ee7452.tar.gz cpython-7a0eadc6d5aea200e4b24c658b9a07ed30ee7452.tar.bz2