You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mod_python-dev@quetz.apache.org by "Nicolas Lehuen (JIRA)" <ji...@apache.org> on 2005/03/25 22:54:19 UTC

[jira] Created: (MODPYTHON-40) FieldStorage : don't stream file uploads to memory

FieldStorage : don't stream file uploads to memory
--------------------------------------------------

         Key: MODPYTHON-40
         URL: http://issues.apache.org/jira/browse/MODPYTHON-40
     Project: mod_python
        Type: Bug
    Versions: 3.1.4    
    Reporter: Nicolas Lehuen


In mod_python.py/util.py, line 169, we stream a file upload to disk only if its Content-Disposition header features a filename attribute. Otherwise, the file is streamed to memory, thus opening a potential DoS attack by uploading very large files.

We should :

1) Always stream file upload to disk
2) Define a default maximum file size which could be overridable.
3) Allow for the user to specify in which directory file uploads should be made, with a default to a temporary directory / file.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (MODPYTHON-40) FieldStorage : don't stream file uploads to memory

Posted by "Nicolas Lehuen (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-40?page=history ]
     
Nicolas Lehuen resolved MODPYTHON-40:
-------------------------------------

     Resolution: Fixed
    Fix Version: 3.2.0

Fix by Barry Pearce - see the python-dev archives on GMane (sorry, the message has not been indexed by GMane yet) for an explanation of the fixes.

> FieldStorage : don't stream file uploads to memory
> --------------------------------------------------
>
>          Key: MODPYTHON-40
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-40
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Nicolas Lehuen
>      Fix For: 3.2.0

>
> In mod_python.py/util.py, line 169, we stream a file upload to disk only if its Content-Disposition header features a filename attribute. Otherwise, the file is streamed to memory, thus opening a potential DoS attack by uploading very large files.
> We should :
> 1) Always stream file upload to disk
> 2) Define a default maximum file size which could be overridable.
> 3) Allow for the user to specify in which directory file uploads should be made, with a default to a temporary directory / file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Reopened: (MODPYTHON-40) FieldStorage : don't stream file uploads to memory

Posted by "Nicolas Lehuen (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ]
     
Nicolas Lehuen reopened MODPYTHON-40:
-------------------------------------


The fix has a bug - see http://www.modpython.org/pipermail/mod_python/2005-November/019468.html and the python-dev mailing list (GMane archive are not up to date, sorry).

Alexis Marrero <am...@mitre.org> has proposed a fix, inspired from what CherryPy does. I've added a few unit tests to the mix, with the help of Jim Gallacher who found a small file that could always break the file upload system.


> FieldStorage : don't stream file uploads to memory
> --------------------------------------------------
>
>          Key: MODPYTHON-40
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-40
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Nicolas Lehuen
>      Fix For: 3.2

>
> In mod_python.py/util.py, line 169, we stream a file upload to disk only if its Content-Disposition header features a filename attribute. Otherwise, the file is streamed to memory, thus opening a potential DoS attack by uploading very large files.
> We should :
> 1) Always stream file upload to disk
> 2) Define a default maximum file size which could be overridable.
> 3) Allow for the user to specify in which directory file uploads should be made, with a default to a temporary directory / file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Closed: (MODPYTHON-40) FieldStorage : don't stream file uploads to memory

Posted by "Graham Dumpleton (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ]
     
Graham Dumpleton closed MODPYTHON-40:
-------------------------------------


> FieldStorage : don't stream file uploads to memory
> --------------------------------------------------
>
>          Key: MODPYTHON-40
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-40
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Nicolas Lehuen
>      Fix For: 3.2.7

>
> In mod_python.py/util.py, line 169, we stream a file upload to disk only if its Content-Disposition header features a filename attribute. Otherwise, the file is streamed to memory, thus opening a potential DoS attack by uploading very large files.
> We should :
> 1) Always stream file upload to disk
> 2) Define a default maximum file size which could be overridable.
> 3) Allow for the user to specify in which directory file uploads should be made, with a default to a temporary directory / file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (MODPYTHON-40) FieldStorage : don't stream file uploads to memory

Posted by "Nicolas Lehuen (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-40?page=comments#action_61569 ]
     
Nicolas Lehuen commented on MODPYTHON-40:
-----------------------------------------

Two threads on this issue :

http://www.modpython.org/pipermail/mod_python/2005-March/017754.html

and 

http://www.modpython.org/pipermail/mod_python/2005-March/017756.html

> FieldStorage : don't stream file uploads to memory
> --------------------------------------------------
>
>          Key: MODPYTHON-40
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-40
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Nicolas Lehuen

>
> In mod_python.py/util.py, line 169, we stream a file upload to disk only if its Content-Disposition header features a filename attribute. Otherwise, the file is streamed to memory, thus opening a potential DoS attack by uploading very large files.
> We should :
> 1) Always stream file upload to disk
> 2) Define a default maximum file size which could be overridable.
> 3) Allow for the user to specify in which directory file uploads should be made, with a default to a temporary directory / file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (MODPYTHON-40) FieldStorage : don't stream file uploads to memory

Posted by "Nicolas Lehuen (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ]
     
Nicolas Lehuen resolved MODPYTHON-40:
-------------------------------------

    Resolution: Fixed

OK, this time I think the file upload problem is solved for good. I've
checked-in Alexis's code, with comments. Then I've done a quick
rewrite of the multipart/form-data parser found in
FieldStorage.__init__ and read_to_boundary so that it uses a regexp
for the boundary checks, with the hope that it simplify the code a
little bit (and remove thos nasty strip() calls). I've re-ran all
tests and everything seems OK.

> FieldStorage : don't stream file uploads to memory
> --------------------------------------------------
>
>          Key: MODPYTHON-40
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-40
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Nicolas Lehuen
>      Fix For: 3.2

>
> In mod_python.py/util.py, line 169, we stream a file upload to disk only if its Content-Disposition header features a filename attribute. Otherwise, the file is streamed to memory, thus opening a potential DoS attack by uploading very large files.
> We should :
> 1) Always stream file upload to disk
> 2) Define a default maximum file size which could be overridable.
> 3) Allow for the user to specify in which directory file uploads should be made, with a default to a temporary directory / file.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira