Closes #23801 - Ignore entire preamble to multipart in cgi.FieldStorage

dstufft · dstufft · commit d90f8d10e088 · 2015-03-29T16:43:23.000-04:00
diff --git a/Lib/cgi.py b/Lib/cgi.py
@@ -693,8 +693,13 @@ def read_multi(self, environ, keep_blank_values, strict_parsing):
             raise ValueError("%s should return bytes, got %s" \
                              % (self.fp, type(first_line).__name__))
         self.bytes_read += len(first_line)
-        # first line holds boundary ; ignore it, or check that
-        # b"--" + ib == first_line.strip() ?
+
+        # Ensure that we consume the file until we've hit our inner boundary
+        while (first_line.strip() != (b"--" + self.innerboundary) and
+                first_line):
+            first_line = self.fp.readline()
+            self.bytes_read += len(first_line)
+
         while True:
             parser = FeedParser()
             hdr_text = b""
diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py
@@ -248,6 +248,25 @@ def test_fieldstorage_multipart(self):
                 got = getattr(fs.list[x], k)
                 self.assertEqual(got, exp)
 
+    def test_fieldstorage_multipart_leading_whitespace(self):
+        env = {
+            'REQUEST_METHOD': 'POST',
+            'CONTENT_TYPE': 'multipart/form-data; boundary={}'.format(BOUNDARY),
+            'CONTENT_LENGTH': '560'}
+        # Add some leading whitespace to our post data that will cause the
+        # first line to not be the innerboundary.
+        fp = BytesIO(b"\r\n" + POSTDATA.encode('latin-1'))
+        fs = cgi.FieldStorage(fp, environ=env, encoding="latin-1")
+        self.assertEqual(len(fs.list), 4)
+        expect = [{'name':'id', 'filename':None, 'value':'1234'},
+                  {'name':'title', 'filename':None, 'value':''},
+                  {'name':'file', 'filename':'test.txt', 'value':b'Testing 123.\n'},
+                  {'name':'submit', 'filename':None, 'value':' Add '}]
+        for x in range(len(fs.list)):
+            for k, exp in expect[x].items():
+                got = getattr(fs.list[x], k)
+                self.assertEqual(got, exp)
+
     def test_fieldstorage_multipart_non_ascii(self):
         #Test basic FieldStorage multipart parsing
         env = {'REQUEST_METHOD':'POST',
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -124,6 +124,9 @@ Library
 
 - Issue #23361: Fix possible overflow in Windows subprocess creation code.
 
+- Issue #23801: Fix issue where cgi.FieldStorage did not always ignore the
+  entire preamble to a multipart body.
+
 Tests
 -----
 
