diff options
| author | matthewbelisle-wf <matthew.belisle@workiva.com> | 2018-10-19 10:52:59 (GMT) |
|---|---|---|
| committer | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2018-10-19 10:52:59 (GMT) |
| commit | 209144831b0a19715bda3bd72b14a3e6192d9cc1 (patch) | |
| tree | 872e8d5460807aaf6f02b72a0c3b8f4202739ba2 /Lib/urllib | |
| parent | f081fd83032be48aefdb1bbcc38ab5deb03785d5 (diff) | |
| download | cpython-209144831b0a19715bda3bd72b14a3e6192d9cc1.zip cpython-209144831b0a19715bda3bd72b14a3e6192d9cc1.tar.gz cpython-209144831b0a19715bda3bd72b14a3e6192d9cc1.tar.bz2 | |
bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.
Diffstat (limited to 'Lib/urllib')
| -rw-r--r-- | Lib/urllib/parse.py | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index f21b8eb..dc21711 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -628,7 +628,7 @@ def unquote(string, encoding='utf-8', errors='replace'): def parse_qs(qs, keep_blank_values=False, strict_parsing=False, - encoding='utf-8', errors='replace'): + encoding='utf-8', errors='replace', max_num_fields=None): """Parse a query given as a string argument. Arguments: @@ -649,11 +649,15 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding and errors: specify how to decode percent-encoded sequences into Unicode characters, as accepted by the bytes.decode() method. + max_num_fields: int. If set, then throws a ValueError if there + are more than n fields read by parse_qsl(). + Returns a dictionary. """ parsed_result = {} pairs = parse_qsl(qs, keep_blank_values, strict_parsing, - encoding=encoding, errors=errors) + encoding=encoding, errors=errors, + max_num_fields=max_num_fields) for name, value in pairs: if name in parsed_result: parsed_result[name].append(value) @@ -663,7 +667,7 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, - encoding='utf-8', errors='replace'): + encoding='utf-8', errors='replace', max_num_fields=None): """Parse a query given as a string argument. Arguments: @@ -683,9 +687,21 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding and errors: specify how to decode percent-encoded sequences into Unicode characters, as accepted by the bytes.decode() method. + max_num_fields: int. If set, then throws a ValueError + if there are more than n fields read by parse_qsl(). + Returns a list, as G-d intended. """ qs, _coerce_result = _coerce_args(qs) + + # If max_num_fields is defined then check that the number of fields + # is less than max_num_fields. This prevents a memory exhaustion DOS + # attack via post bodies with many fields. + if max_num_fields is not None: + num_fields = 1 + qs.count('&') + qs.count(';') + if max_num_fields < num_fields: + raise ValueError('Max number of fields exceeded') + pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')] r = [] for name_value in pairs: |