Graham Dumpleton commented on MODPYTHON-210:

Emiliano posts this patch:


It does however use Python "set" which can't be used as only newer versions of 
Python support it.

> FieldStorage wrongly assumes boundary is last attribute in Content-Type 
> headers value.
> --------------------------------------------------------------------------------------
>                 Key: MODPYTHON-210
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-210
>             Project: mod_python
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.3, 3.2.10
>            Reporter: Graham Dumpleton
> Mozilla can generate multipart content that looks like:
> Content-Length: 522 
> Content-Type: multipart/related; 
> boundary=---------------------------13592280651221337293469391600; 
> type="application/xml"; start="<[EMAIL PROTECTED] >" 
> Cookie: lang=1 
> This highlights an issue with util.FieldStorage in that it assumes that the 
> boundary attribute of the Content-Type header will always be the last thing 
> in the value. Ie., the code in FieldStorage is:
>         # figure out boundary
>         try:
>             i = ctype.lower().rindex("boundary=")
>             boundary = ctype[i+9:]
>             if len(boundary) >= 2 and boundary[0] == boundary[-1] == '"':
>                 boundary = boundary[1:-1]
>             boundary = re.compile("--" + re.escape(boundary) + "(--)?\r?\n")
> The FieldStorage code should correctly split out all attributes from the line 
> and then deal with list the boundary attribute by itself and not make 
> assumptions about the order of attributes on the line. The code is also 
> questionable depending on whether it is guaranteed by Apache that trailing 
> space is striped from the value of headers. If there is trailing white space 
> it will interfere with the check for whether the boundary is surrounded by 
> quotes. Finally, does the specification for HTTP headers always entail the 
> use of a double quote as this is the only thing that is checked for?

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

Reply via email to