Bug#850176: [python-bottle] latest security update breaks existing code

Wed, 04 Jan 2017 09:33:28 -0800 

Package: python-bottle
Version: 0.12.7-1+deb8u1
Severity: normal

--- Please enter the report below this line. ---

Dear maintainer, the latest security update breaks existing code like the 
following script:

#!/usr/bin/env python
# coding=utf-8
import bottle
@bottle.route('/', method='GET')
def test():
    return bottle.static_file('test.txt', root='.', mimetype=u'text/plain', 
download='test.txt')
bottle.BaseRequest.MEMFILE_MAX = 5 * 1024 * 1024
bottle.debug(True)
bottle.run(host='127.0.0.1', port=8080, reloader=True, server='cherrypy')

Save a dummy file test.txt in the same directory and launch it with python 2.7 
to try yourself.

This used to work with version 0.12.7-1, now with 0.12.7-1+deb8u1 it shows this 
error in chromium:
"The requested resource returned more bytes than the declared Content-Length."

The actual trace as shown in the console where the script runs is:

Critical error while processing request: /
Error:
TypeError("WSGI response header value u'text/plain' is not of type str.",)
Traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/bottle.py", line 960, in wsgi
    start_response(response._status_line, response.headerlist)
  File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/wsgiserver2.py", 
line 2309, in start_response
    "WSGI response header value %r is not of type str." % v)
TypeError: WSGI response header value u'text/plain' is not of type str.

One workaround is to pass a string not a unicode string as mimetype:

    return bottle.static_file('test.txt', root='.', mimetype='text/plain', 
download='test.txt')

At a minimum, it would be preferable to see the "Critical error while 
processing request" error not the "The requested resource returned more bytes 
than the declared Content-Length." one which is misleading.

For maximum backward compatibility, and if that does not cause side-effects, it 
would be nice if unicode strings would be OK as they used to be.

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.16.0-4-amd64

Debian Release: 8.6
  500 stable-updates  ftp.it.debian.org 
  500 stable          security.debian.org 
  500 stable          ftp.it.debian.org 
  100 jessie-backports ftp.it.debian.org 

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to