[ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ] Nicolas Lehuen reopened MODPYTHON-40: -------------------------------------
The fix has a bug - see http://www.modpython.org/pipermail/mod_python/2005-November/019468.html and the python-dev mailing list (GMane archive are not up to date, sorry). Alexis Marrero <[EMAIL PROTECTED]> has proposed a fix, inspired from what CherryPy does. I've added a few unit tests to the mix, with the help of Jim Gallacher who found a small file that could always break the file upload system. > FieldStorage : don't stream file uploads to memory > -------------------------------------------------- > > Key: MODPYTHON-40 > URL: http://issues.apache.org/jira/browse/MODPYTHON-40 > Project: mod_python > Type: Bug > Versions: 3.1.4 > Reporter: Nicolas Lehuen > Fix For: 3.2 > > In mod_python.py/util.py, line 169, we stream a file upload to disk only if > its Content-Disposition header features a filename attribute. Otherwise, the > file is streamed to memory, thus opening a potential DoS attack by uploading > very large files. > We should : > 1) Always stream file upload to disk > 2) Define a default maximum file size which could be overridable. > 3) Allow for the user to specify in which directory file uploads should be > made, with a default to a temporary directory / file. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
