You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2007/01/24 23:10:49 UTC

[jira] Commented: (MODPYTHON-210) FieldStorage wrongly assumes boundary is last attribute in Content-Type headers value.

    [ https://issues.apache.org/jira/browse/MODPYTHON-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12467170 ] 

Graham Dumpleton commented on MODPYTHON-210:
--------------------------------------------

Emiliano posts this patch:

  http://www.modpython.org/pipermail/mod_python/2007-January/023092.html

It does however use Python "set" which can't be used as only newer versions of Python support it.

> FieldStorage wrongly assumes boundary is last attribute in Content-Type headers value.
> --------------------------------------------------------------------------------------
>
>                 Key: MODPYTHON-210
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-210
>             Project: mod_python
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.3, 3.2.10
>            Reporter: Graham Dumpleton
>
> Mozilla can generate multipart content that looks like:
> Content-Length: 522 
> Content-Type: multipart/related; boundary=---------------------------13592280651221337293469391600; type="application/xml"; start="<4c599da9.58c746e8@mozilla.org >" 
> Cookie: lang=1 
>  
> This highlights an issue with util.FieldStorage in that it assumes that the boundary attribute of the Content-Type header will always be the last thing in the value. Ie., the code in FieldStorage is:
>         # figure out boundary
>         try:
>             i = ctype.lower().rindex("boundary=")
>             boundary = ctype[i+9:]
>             if len(boundary) >= 2 and boundary[0] == boundary[-1] == '"':
>                 boundary = boundary[1:-1]
>             boundary = re.compile("--" + re.escape(boundary) + "(--)?\r?\n")
> The FieldStorage code should correctly split out all attributes from the line and then deal with list the boundary attribute by itself and not make assumptions about the order of attributes on the line. The code is also questionable depending on whether it is guaranteed by Apache that trailing space is striped from the value of headers. If there is trailing white space it will interfere with the check for whether the boundary is surrounded by quotes. Finally, does the specification for HTTP headers always entail the use of a double quote as this is the only thing that is checked for?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.