FieldStorage wrongly assumes boundary is last attribute in Content-Type headers
value.
--------------------------------------------------------------------------------------
Key: MODPYTHON-210
URL: https://issues.apache.org/jira/browse/MODPYTHON-210
Project: mod_python
Issue Type: Bug
Components: core
Affects Versions: 3.2.10, 3.3
Reporter: Graham Dumpleton
Mozilla can generate multipart content that looks like:
Content-Length: 522
Content-Type: multipart/related;
boundary=---------------------------13592280651221337293469391600;
type="application/xml"; start="<[EMAIL PROTECTED] >"
Cookie: lang=1
This highlights an issue with util.FieldStorage in that it assumes that the
boundary attribute of the Content-Type header will always be the last thing in
the value. Ie., the code in FieldStorage is:
# figure out boundary
try:
i = ctype.lower().rindex("boundary=")
boundary = ctype[i+9:]
if len(boundary) >= 2 and boundary[0] == boundary[-1] == '"':
boundary = boundary[1:-1]
boundary = re.compile("--" + re.escape(boundary) + "(--)?\r?\n")
The FieldStorage code should correctly split out all attributes from the line
and then deal with list the boundary attribute by itself and not make
assumptions about the order of attributes on the line. The code is also
questionable depending on whether it is guaranteed by Apache that trailing
space is striped from the value of headers. If there is trailing white space it
will interfere with the check for whether the boundary is surrounded by quotes.
Finally, does the specification for HTTP headers always entail the use of a
double quote as this is the only thing that is checked for?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
