[ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ]
Nicolas Lehuen resolved MODPYTHON-40:

    Resolution: Fixed

OK, this time I think the file upload problem is solved for good. I've
checked-in Alexis's code, with comments. Then I've done a quick
rewrite of the multipart/form-data parser found in
FieldStorage.__init__ and read_to_boundary so that it uses a regexp
for the boundary checks, with the hope that it simplify the code a
little bit (and remove thos nasty strip() calls). I've re-ran all
tests and everything seems OK.

> FieldStorage : don't stream file uploads to memory
> --------------------------------------------------
>          Key: MODPYTHON-40
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-40
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Nicolas Lehuen
>      Fix For: 3.2

> In mod_python.py/util.py, line 169, we stream a file upload to disk only if 
> its Content-Disposition header features a filename attribute. Otherwise, the 
> file is streamed to memory, thus opening a potential DoS attack by uploading 
> very large files.
> We should :
> 1) Always stream file upload to disk
> 2) Define a default maximum file size which could be overridable.
> 3) Allow for the user to specify in which directory file uploads should be 
> made, with a default to a temporary directory / file.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

Reply via email to