summaryrefslogtreecommitdiffstats
path: root/Lib/test/test_cgi.py
diff options
context:
space:
mode:
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>2018-10-19 11:16:57 (GMT)
committerGitHub <noreply@github.com>2018-10-19 11:16:57 (GMT)
commit322a914965368ffd7e4f97ede50b351fdf48d870 (patch)
tree6a79e88c4ef83a6df6fc5655b760db0f6a36056e /Lib/test/test_cgi.py
parentd85c2726b9f305ac5128764bda773a78e52101cd (diff)
downloadcpython-322a914965368ffd7e4f97ede50b351fdf48d870.zip
cpython-322a914965368ffd7e4f97ede50b351fdf48d870.tar.gz
cpython-322a914965368ffd7e4f97ede50b351fdf48d870.tar.bz2
bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by limiting the number of `MiniFieldStorage` objects created by `FieldStorage`. (cherry picked from commit 209144831b0a19715bda3bd72b14a3e6192d9cc1) Co-authored-by: matthewbelisle-wf <matthew.belisle@workiva.com>
Diffstat (limited to 'Lib/test/test_cgi.py')
-rw-r--r--Lib/test/test_cgi.py49
1 files changed, 49 insertions, 0 deletions
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
index 6373221..953b99c 100644
--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -373,6 +373,55 @@ Larry
v = gen_result(data, environ)
self.assertEqual(self._qs_result, v)
+ def test_max_num_fields(self):
+ # For application/x-www-form-urlencoded
+ data = '&'.join(['a=a']*11)
+ environ = {
+ 'CONTENT_LENGTH': str(len(data)),
+ 'CONTENT_TYPE': 'application/x-www-form-urlencoded',
+ 'REQUEST_METHOD': 'POST',
+ }
+
+ with self.assertRaises(ValueError):
+ cgi.FieldStorage(
+ fp=BytesIO(data.encode()),
+ environ=environ,
+ max_num_fields=10,
+ )
+
+ # For multipart/form-data
+ data = """---123
+Content-Disposition: form-data; name="a"
+
+a
+---123
+Content-Type: application/x-www-form-urlencoded
+
+a=a&a=a
+---123--
+"""
+ environ = {
+ 'CONTENT_LENGTH': str(len(data)),
+ 'CONTENT_TYPE': 'multipart/form-data; boundary=-123',
+ 'QUERY_STRING': 'a=a&a=a',
+ 'REQUEST_METHOD': 'POST',
+ }
+
+ # 2 GET entities
+ # 2 top level POST entities
+ # 2 entities within the second POST entity
+ with self.assertRaises(ValueError):
+ cgi.FieldStorage(
+ fp=BytesIO(data.encode()),
+ environ=environ,
+ max_num_fields=5,
+ )
+ cgi.FieldStorage(
+ fp=BytesIO(data.encode()),
+ environ=environ,
+ max_num_fields=6,
+ )
+
def testQSAndFormData(self):
data = """---123
Content-Disposition: form-data; name="key2"
generated by cgit v0.12 at 2025-09-01 11:38:37 (GMT)