[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Éric Araujo added the comment: Both active PRs have comments pointing out issues, that’s why this is still open. A clean fix with unit tests and no regression is needed. -- nosy: +eric.araujo versions: +Python 3.10, Python 3.11, Python 3.9 -Python 3.6, Python 3.7, Python 3.8

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Christoph Zwerschke added the comment: Just created a test case for this problem after a pentest provoked this error on one of my web apps. Then I found this bug report which already has a similar test case attached. The problem is that read_binary() as the name says reads binary data, but

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Bradley Miller added the comment: Thanks Jakub, Your patch fixed an increasingly frequent problem with my site. How can I help to get this merged so I don't have to have a custom version of cgi.py?? -- nosy: +bnmnetp ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Jakub Kulik added the comment: We internally tested the most recent PR and found some issues with it: https://github.com/python/cpython/pull/21457#issuecomment-698845895 We ended up using a much simpler patch, which seems to work as expected. --- Python-3.7.8/Lib/cgi.py +++

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Rhodri James : -- nosy: -Rhodri James ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Aron Podrigal : -- pull_requests: +20604 pull_request: https://github.com/python/cpython/pull/21457 ___ Python tracker ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Tim Nyborg added the comment: Echoing Fran Boon, I'm wondering what needs to happen to get the fixes merged and this issue resolved. It affects web servers run on several frameworks, which is more of a problem now, since so many of us migrated to py3 in advance of py2 EOL. --

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Fran Boon added the comment: What is happening with this bug? I am amazed that nearly 4 years on it doesn't seem to have been resolved. The issue took me a fairly long time to debug the cause of, but once known the issue seems relatively simple to resolve & there are a couple of Pull Requests

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Ethan Furman : -- assignee: -> ethan.furman nosy: +Rhodri James, ethan.furman versions: -Python 3.5 ___ Python tracker ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Christoph Zwerschke added the comment: This also happens when sending POST requests with JSON payload from a browser with XMLHttpRequest to a Python 3.7 backend using FieldStorage. It seems XMLHttpRequest adds the content length automatically. --

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Christoph Zwerschke : -- nosy: +cito ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Edward Gow added the comment: This bug is triggered by xml-rpc calls from the xmlrpc.client in the Python 3.5 standard library to a mod_wsgi/Python 3.5 endpoint. -- nosy: +elgow ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Aron Podrigal added the comment: A different approach. Always honor content length, and do not try to read more than. -- ___ Python tracker ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Roundup Robot : -- pull_requests: +11715, 11716, 11717, 11718 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Roundup Robot : -- pull_requests: +11715, 11716, 11717 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Roundup Robot : -- pull_requests: +11715, 11716 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Roundup Robot : -- pull_requests: +11715 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Rémi Lapeyre : -- nosy: +remi.lapeyre ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Aron Podrigal added the comment: I am experiencing the same issue. https://github.com/python/cpython/pull/10771 looks good. While were at it, and if PR 10771 is accepted, maybe we can change https://github.com/python/cpython/blob/6613b56173d26f32da9945691ff9f824304224a2/Lib/cgi.py#L717

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Pierre Quentel added the comment: I have submitted another Pull Request (10771) that seems to fix the bug while passing all the tests in test_cgi.py -- nosy: +quentel ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Pierre Quentel : -- pull_requests: +10015 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Jack Jansen : -- nosy: +jackjansen ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Chris Eykamp added the comment: I don't know if you've read the dialog on the PR (there was also some offline between Ned and myself), but the patch breaks a test when running under a fresh build of Python. I can't reproduce it here without setting up a build system, which I haven't had

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Bert JW Regeer added the comment: I'll take a look and see if I can get the other fixes from WebOb and add them to a patch, and create a follow-up PR. If I can stop carrying a monkey patch for the standard library I am all for it! Thanks for running with this! -- nosy: +Bert JW

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Chris Eykamp added the comment: Packaged patch offered below into PR 7804 https://github.com/python/cpython/pull/7804 -- versions: +Python 3.5 ___ Python tracker ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Chris Eykamp : -- pull_requests: +7409 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Chris Eykamp added the comment: I'll get a PR submitted this weekend, and post back here. It will not explicitly address that other case, as I don't have the capacity or wherewithal for that. Alas. -- ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Berker Peksag added the comment: That's even better! :) Please submit your work as a pull request. Did you take a look at https://github.com/Pylons/webob/pull/300 as well? Can we use the test in the PR? Is it possible to adapt it solve both this and WebOb issues? --

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Chris Eykamp added the comment: I've already got a PR based on the patch listed under the Files section (it's prepared, not yet submitted), but if you want to do something more, I'll step back and let you do it. -- ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Berker Peksag added the comment: Thank you for the ping, Chris. I will try to combine Bert's and Julien's patches and prepare a PR this weekend. -- versions: +Python 3.8 -Python 3.5 ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by STINNER Victor : -- nosy: -vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Chris Eykamp added the comment: This also manifests itself when using web.py: if the underlying code throws an exception, this is emitted: File "/usr/local/lib/python3.5/dist-packages/web/webapi.py", line 364, in input out = rawinput(_method) File

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Chris Eykamp added the comment: I've been experiencing the same issue, which is triggered in the exception handling of web.py. Bert's proposed fix, adding the zero byte check (if self._binary_file or self.length >= 0:) addresses the issue I'm seeing (tested on 3.5, it's what's available

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Change by Sebastian Rittau : -- nosy: +srittau ___ Python tracker ___ ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Bert JW Regeer added the comment: Unfortunately I need to spin another patch, the one I created didn't solve the issue for one of WebOb's users: https://github.com/Pylons/webob/pull/300 (Thanks Julien Meyer!) I have his permission to grab his test/patch and update this patch, I will get this

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Ned Deily added the comment: Berker asks in IRC whether this change should go into 3.6.0 (at rc1). While it is affecting a relatively self-contained part of the standard library (cgi), the issue doesn't seem to be "release critical". Further, it is changing behavior that was changed barely

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Changes by Berker Peksag : -- stage: needs patch -> patch review ___ Python tracker ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Bert JW Regeer added the comment: @berker.peksag: Attached is a patch with a test case that exercises this issue. Code path is that read_single() checks if the length is greater than 0, and then it reads binary, otherwise it reads it as a single line. This fixes make_file so that if

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Berker Peksag added the comment: Thanks for triaging this, Bert. Would you like to propose a patch with a test case? Note that we can't fix this in 3.3 and 3.4 because they are in security-fix-only mode. See https://docs.python.org/devguide/index.html#status-of-python-branches for details.

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Bert JW Regeer added the comment: Updated versions this applies to. -- versions: +Python 3.3, Python 3.4, Python 3.6, Python 3.7 ___ Python tracker ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Changes by Bert JW Regeer : -- nosy: +berker.peksag ___ Python tracker ___ ___

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Bert JW Regeer added the comment: On line #890 in self.make_file() the check for _binary_file should be changed to also check for self.length >= 0. https://github.com/python/cpython/blob/3.4/Lib/cgi.py#L890 becomes: if self._binary_file or self.length >= 0: _binary_file is only ever set if

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Decorater added the comment: Here is a patch to review (note I only had disc space to clone 3.6 so I had to manually download this version of the file). -- Added file: http://bugs.python.org/file44125/cgi.py ___ Python tracker

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

Decorater added the comment: hmm into looking it should check if it is in actuality a binary file the length of the file data does not really determine anything on encoding really. if self._binary_file: would suffice on determining binary mode or not. -- nosy: +Decorater

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

New submission from rr-: Sending requests with Content-Length but without Content-Disposition headers causes following error: Traceback (most recent call last): File "./test", line 19, in form = cgi.FieldStorage(fp=env['wsgi.input'], environ=env) File "/usr/lib/python3.5/cgi.py", line