quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Dumpleton (JIRA)" <j...@apache.org>
Subject [jira] Created: (MODPYTHON-210) FieldStorage wrongly assumes boundary is last attribute in Content-Type headers value.
Date Sun, 14 Jan 2007 03:57:27 GMT
FieldStorage wrongly assumes boundary is last attribute in Content-Type headers value.

                 Key: MODPYTHON-210
                 URL: https://issues.apache.org/jira/browse/MODPYTHON-210
             Project: mod_python
          Issue Type: Bug
          Components: core
    Affects Versions: 3.2.10, 3.3
            Reporter: Graham Dumpleton

Mozilla can generate multipart content that looks like:

Content-Length: 522 
Content-Type: multipart/related; boundary=---------------------------13592280651221337293469391600;
type="application/xml"; start="<4c599da9.58c746e8@mozilla.org >" 
Cookie: lang=1 
This highlights an issue with util.FieldStorage in that it assumes that the boundary attribute
of the Content-Type header will always be the last thing in the value. Ie., the code in FieldStorage

        # figure out boundary
            i = ctype.lower().rindex("boundary=")
            boundary = ctype[i+9:]
            if len(boundary) >= 2 and boundary[0] == boundary[-1] == '"':
                boundary = boundary[1:-1]
            boundary = re.compile("--" + re.escape(boundary) + "(--)?\r?\n")

The FieldStorage code should correctly split out all attributes from the line and then deal
with list the boundary attribute by itself and not make assumptions about the order of attributes
on the line. The code is also questionable depending on whether it is guaranteed by Apache
that trailing space is striped from the value of headers. If there is trailing white space
it will interfere with the check for whether the boundary is surrounded by quotes. Finally,
does the specification for HTTP headers always entail the use of a double quote as this is
the only thing that is checked for?

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message