[ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ] Nicolas Lehuen resolved MODPYTHON-40: -------------------------------------
Resolution: Fixed OK, this time I think the file upload problem is solved for good. I've checked-in Alexis's code, with comments. Then I've done a quick rewrite of the multipart/form-data parser found in FieldStorage.__init__ and read_to_boundary so that it uses a regexp for the boundary checks, with the hope that it simplify the code a little bit (and remove thos nasty strip() calls). I've re-ran all tests and everything seems OK. > FieldStorage : don't stream file uploads to memory > -------------------------------------------------- > > Key: MODPYTHON-40 > URL: http://issues.apache.org/jira/browse/MODPYTHON-40 > Project: mod_python > Type: Bug > Versions: 3.1.4 > Reporter: Nicolas Lehuen > Fix For: 3.2 > > In mod_python.py/util.py, line 169, we stream a file upload to disk only if > its Content-Disposition header features a filename attribute. Otherwise, the > file is streamed to memory, thus opening a potential DoS attack by uploading > very large files. > We should : > 1) Always stream file upload to disk > 2) Define a default maximum file size which could be overridable. > 3) Allow for the user to specify in which directory file uploads should be > made, with a default to a temporary directory / file. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira