Ticket #127 (defect)
Opened 4 years ago
Last modified 3 years ago
Patch cgi.FieldStorage
Status: closed (fixed)
| Reported by: | rdelon | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | CherryPy code | Keywords: | |
| Cc: |
From http://sourceforge.net/tracker/?func=detail&aid=1112549&group_id=5470&atid=105470
cgi.FieldStorage memory usage can spike in line-oriented ops Various parts of cgi.FieldStorage call its "read_lines_to_outerboundary", "read_lines" and "skip_lines" methods. These methods use the "readline" method of the file object that represents an input stream. The input stream is typically data supplied by an untrusted source (such as a user uploading a file from a web browser). The input data is not required by the RFC 822/1521/1522/1867 specifications to contain any newline characters. For example, it is within the bounds of the specification to supply a a multipart/form-data input stream with a "file-data" part that consists of a 2GB string composed entirely of "x" characters (which happens to be something I did that led me to noticing this bug). The simplest fix is to make use of the "size" argument of the readline method of the file object where it is used within all parts of FieldStorage that make use of it. A patch against the Python 2.3.4 cgi.py module that does this is attached.
Change History
06/16/05 02:39:50: Modified by fumanchu
- status changed from new to closed.
- resolution set to fixed.
10/31/05 16:57:10: Modified by fumanchu
- description changed.
Fixed in changeset [321].