summaryrefslogtreecommitdiffstats
path: root/Lib/urllib/parse.py
diff options
context:
space:
mode:
authormatthewbelisle-wf <matthew.belisle@workiva.com>2018-10-19 10:52:59 (GMT)
committerMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>2018-10-19 10:52:59 (GMT)
commit209144831b0a19715bda3bd72b14a3e6192d9cc1 (patch)
tree872e8d5460807aaf6f02b72a0c3b8f4202739ba2 /Lib/urllib/parse.py
parentf081fd83032be48aefdb1bbcc38ab5deb03785d5 (diff)
downloadcpython-209144831b0a19715bda3bd72b14a3e6192d9cc1.zip
cpython-209144831b0a19715bda3bd72b14a3e6192d9cc1.tar.gz
cpython-209144831b0a19715bda3bd72b14a3e6192d9cc1.tar.bz2
bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.
Diffstat (limited to 'Lib/urllib/parse.py')
-rw-r--r--Lib/urllib/parse.py22
1 files changed, 19 insertions, 3 deletions
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index f21b8eb..dc21711 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -628,7 +628,7 @@ def unquote(string, encoding='utf-8', errors='replace'):
def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
- encoding='utf-8', errors='replace'):
+ encoding='utf-8', errors='replace', max_num_fields=None):
"""Parse a query given as a string argument.
Arguments:
@@ -649,11 +649,15 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
encoding and errors: specify how to decode percent-encoded sequences
into Unicode characters, as accepted by the bytes.decode() method.
+ max_num_fields: int. If set, then throws a ValueError if there
+ are more than n fields read by parse_qsl().
+
Returns a dictionary.
"""
parsed_result = {}
pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
- encoding=encoding, errors=errors)
+ encoding=encoding, errors=errors,
+ max_num_fields=max_num_fields)
for name, value in pairs:
if name in parsed_result:
parsed_result[name].append(value)
@@ -663,7 +667,7 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
- encoding='utf-8', errors='replace'):
+ encoding='utf-8', errors='replace', max_num_fields=None):
"""Parse a query given as a string argument.
Arguments:
@@ -683,9 +687,21 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
encoding and errors: specify how to decode percent-encoded sequences
into Unicode characters, as accepted by the bytes.decode() method.
+ max_num_fields: int. If set, then throws a ValueError
+ if there are more than n fields read by parse_qsl().
+
Returns a list, as G-d intended.
"""
qs, _coerce_result = _coerce_args(qs)
+
+ # If max_num_fields is defined then check that the number of fields
+ # is less than max_num_fields. This prevents a memory exhaustion DOS
+ # attack via post bodies with many fields.
+ if max_num_fields is not None:
+ num_fields = 1 + qs.count('&') + qs.count(';')
+ if max_num_fields < num_fields:
+ raise ValueError('Max number of fields exceeded')
+
pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')]
r = []
for name_value in pairs: