[webpy] Bug in web.input() if user gives enctype='text/plain'

Wed, 07 Nov 2007 01:19:02 -0800 

Hi guys,

I've found a fairly ikcy but subtle bug in web.input(). If you submit a form
-- with GET or POST, doesn't matter -- and set enctype="text/plain",
web.input() will bomb out, because it assumes FieldStorage().list is not
None, which isn't the case when enctype="text/plain".

At first I thought this was the cgi module's problem, but then I realised
it's not really, because with text/plain you don't really *have* a list of
values, so it makes sense for cgi.py to set .list to None.

Part of the reason it's subtle is because the Django traceback doesn't show
up either -- because when the first exception occurs, djangoerror() tries to
call web.input() too. So you get a hard-to-debug error-within-an-error. We
noticed it because someone (hacker or badly written bot or something) was
causing HTTP 500s by doing this.

It's easy to reproduce this on a web.py site. Just create a form like so:

<form action='/path/to/my-action' method='post' enctype='text/plain'>
 <input type='submit' name='submit' value='Bomb out!'>
</form>

I've fixed it by adding a ".list is None" test in the FieldStorage() parts
of webapi.input() to be like so -- note you have to fix it in both GET and
POST sections:

-----------------------
    if _method.lower() in ['both', 'post']:
        if e['REQUEST_METHOD'] == 'POST':
            a = cgi.FieldStorage(fp = StringIO(data()), environ=e,
              keep_blank_values=1)
            # so if user has given enctype='text/plain is doesn't bomb out
            if a.list is None:
                a.list = []
            a = dictify(a)

    if _method.lower() in ['both', 'get']:
        e['REQUEST_METHOD'] = 'GET'
        b = cgi.FieldStorage(environ=e, keep_blank_values=1)
        if b.list is None:  # same as above
            b.list = []
        b = dictify(b)
-----------------------

Cheers,
Ben.

-- 
Ben Hoyt, http://benhoyt.com/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to