bpo-34866: Add max_num_fields to cgi.FieldStorage (GH-9660) (GH-9969)

Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by limiting the number of `MiniFieldStorage` objects created by `FieldStorage`. (cherry picked from commit 209144831b0a19715bda3bd72b14a3e6192d9cc1)
author: matthewbelisle-wf <matthew.belisle@workiva.com> 2018-10-30 21:16:26 (GMT)
committer: Victor Stinner <vstinner@redhat.com> 2018-10-30 21:16:26 (GMT)
commit: bc6f74a520112d25ef40324e3de4e8187ff2835d (patch)
tree: 6240dc59ea6b1ca83094e0390f77bc8d013ebf6c /Lib/test/test_cgi.py
parent: 64ffee7ad2655c7de9b3b6548aad0c317877ec49 (diff)
download: cpython-bc6f74a520112d25ef40324e3de4e8187ff2835d.zip
cpython-bc6f74a520112d25ef40324e3de4e8187ff2835d.tar.gz
cpython-bc6f74a520112d25ef40324e3de4e8187ff2835d.tar.bz2
1 files changed, 55 insertions, 0 deletions
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
index c9cf095..743c2af 100644
--- a/Lib/test/test_cgi.py
+++ b/Lib/test/test_cgi.py
@@ -1,3 +1,4 @@
+from io import BytesIO
 from test.test_support import run_unittest, check_warnings
 import cgi
 import os
@@ -316,6 +317,60 @@ Content-Type: text/plain
         v = gen_result(data, environ)
         self.assertEqual(self._qs_result, v)
 
+    def test_max_num_fields(self):
+        # For application/x-www-form-urlencoded
+        data = '&'.join(['a=a']*11)
+        environ = {
+            'CONTENT_LENGTH': str(len(data)),
+            'CONTENT_TYPE': 'application/x-www-form-urlencoded',
+            'REQUEST_METHOD': 'POST',
+        }
+
+        with self.assertRaises(ValueError):
+            cgi.FieldStorage(
+                fp=BytesIO(data.encode()),
+                environ=environ,
+                max_num_fields=10,
+            )
+
+        # For multipart/form-data
+        data = """---123
+Content-Disposition: form-data; name="a"
+
+3
+---123
+Content-Type: application/x-www-form-urlencoded
+
+a=4
+---123
+Content-Type: application/x-www-form-urlencoded
+
+a=5
+---123--
+"""
+        environ = {
+            'CONTENT_LENGTH':   str(len(data)),
+            'CONTENT_TYPE':     'multipart/form-data; boundary=-123',
+            'QUERY_STRING':     'a=1&a=2',
+            'REQUEST_METHOD':   'POST',
+        }
+
+        # 2 GET entities
+        # 1 top level POST entities
+        # 1 entity within the second POST entity
+        # 1 entity within the third POST entity
+        with self.assertRaises(ValueError):
+            cgi.FieldStorage(
+                fp=BytesIO(data.encode()),
+                environ=environ,
+                max_num_fields=4,
+            )
+        cgi.FieldStorage(
+            fp=BytesIO(data.encode()),
+            environ=environ,
+            max_num_fields=5,
+        )
+
     def testQSAndFormData(self):
         data = """
 ---123
author	matthewbelisle-wf <matthew.belisle@workiva.com>	2018-10-30 21:16:26 (GMT)
committer	Victor Stinner <vstinner@redhat.com>	2018-10-30 21:16:26 (GMT)
commit	bc6f74a520112d25ef40324e3de4e8187ff2835d (patch)
tree	6240dc59ea6b1ca83094e0390f77bc8d013ebf6c /Lib/test/test_cgi.py
parent	64ffee7ad2655c7de9b3b6548aad0c317877ec49 (diff)
download	cpython-bc6f74a520112d25ef40324e3de4e8187ff2835d.zip cpython-bc6f74a520112d25ef40324e3de4e8187ff2835d.tar.gz cpython-bc6f74a520112d25ef40324e3de4e8187ff2835d.tar.bz2