search

defnull / multipart

A fast multipart/form-data parser for python
https://multipart.readthedocs.io/
MIT License
135 stars 33 forks source link

Attempting to read more data is specified by Content-Length #58

Closed jun66j5 closed 2 months ago

jun66j5 commented 2 months ago

WSGI specification says:

The server is not required to read past the client’s specified Content-Length, and should simulate an end-of-file condition if the application attempts to read past that point. _The application should not attempt to read more data than is specified by the CONTENT_LENGTH variable_.

Input and Error Streams | PEP 3333 – Python Web Server Gateway Interface v1.0.1 | peps.python.org

However, the multipart module attempts to read more data that is specified by Content-Length while parsing form-data since multipart 1.0.0 (for urlencoded-data before this version also).

(Originally reported at https://trac.edgewall.org/ticket/13789)

defnull commented 2 months ago

I have a fix ready and will probably push a patch release next week. Thanks for your very helpful reports so far!

Plan is to fully honor Content-Length, if defined. MultipartParser and parse_form_data() should over-read, and warn if they detect an obvious error (e.g. less data available than expected).

jun66j5 commented 2 months ago

Verified the issue being fixed with multipart 1.1.0. Thanks.