python-multipart 0.0.21__tar.gz → 0.0.23__tar.gz

{python_multipart-0.0.21 → python_multipart-0.0.23}/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.0.23 (2026-04-05)
+
+* Remove unused `trust_x_headers` parameter and `X-File-Name` fallback [#196](https://github.com/Kludex/python-multipart/pull/196).
+* Return processed length from `QuerystringParser._internal_write` [#229](https://github.com/Kludex/python-multipart/pull/229).
+* Cleanup metadata dunders from `__init__.py` [#227](https://github.com/Kludex/python-multipart/pull/227).
+
+## 0.0.22 (2026-01-25)
+
+* Drop directory path from filename in `File` [9433f4b](https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4).
+
 ## 0.0.21 (2025-12-17)
 
 * Add support for Python 3.14 and drop EOL 3.8 and 3.9 [#216](https://github.com/Kludex/python-multipart/pull/216).

{python_multipart-0.0.21 → python_multipart-0.0.23}/PKG-INFO

@@ -1,12 +1,13 @@
 Metadata-Version: 2.4
 Name: python-multipart
-Version: 0.0.21
+Version: 0.0.23
 Summary: A streaming multipart parser for Python
 Project-URL: Homepage, https://github.com/Kludex/python-multipart
 Project-URL: Documentation, https://kludex.github.io/python-multipart/
 Project-URL: Changelog, https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md
 Project-URL: Source, https://github.com/Kludex/python-multipart
-Author-email: Andrew Dunham <andrew@du.nham.ca>, Marcelo Trylesinski <marcelotryle@gmail.com>
+Author-email: Andrew Dunham <andrew@du.nham.ca>
+Maintainer-email: Marcelo Trylesinski <marcelotryle@gmail.com>
 License-Expression: Apache-2.0
 License-File: LICENSE.txt
 Classifier: Development Status :: 5 - Production/Stable

{python_multipart-0.0.21 → python_multipart-0.0.23}/multipart/__init__.py

@@ -21,4 +21,4 @@ for p in sys.path:
 else:
     warnings.warn("Please use `import python_multipart` instead.", PendingDeprecationWarning, stacklevel=2)
     from python_multipart import *
-    from python_multipart import __all__, __author__, __copyright__, __license__, __version__
+    from python_multipart import __all__, __version__

{python_multipart-0.0.21 → python_multipart-0.0.23}/pyproject.toml

@@ -11,6 +11,8 @@ license = "Apache-2.0"
 requires-python = ">=3.10"
 authors = [
     { name = "Andrew Dunham", email = "andrew@du.nham.ca" },
+]
+maintainers = [
     { name = "Marcelo Trylesinski", email = "marcelotryle@gmail.com" },
 ]
 classifiers = [
@@ -33,18 +35,18 @@ dependencies = []
 [dependency-groups]
 dev = [
     "atomicwrites==1.4.1",
-    "attrs==23.2.0",
-    "coverage==7.4.4",
-    "more-itertools==10.2.0",
-    "pbr==6.0.0",
-    "pluggy==1.4.0",
+    "attrs==26.1.0",
+    "coverage==7.13.5",
+    "more-itertools==10.8.0",
+    "pbr==7.0.3",
+    "pluggy==1.6.0",
     "py==1.11.0",
-    "pytest==8.1.1",
-    "pytest-cov==5.0.0",
-    "PyYAML==6.0.1",
-    "invoke==2.2.0",
-    "pytest-timeout==2.3.1",
-    "ruff==0.11.7",
+    "pytest==9.0.2",
+    "pytest-cov==7.1.0",
+    "PyYAML==6.0.3",
+    "invoke==2.2.1",
+    "pytest-timeout==2.4.0",
+    "ruff==0.15.8",
     "mypy",
     "types-PyYAML",
     "atheris==2.3.0; python_version <= '3.11'",

{python_multipart-0.0.21 → python_multipart-0.0.23}/python_multipart/__init__.py

@@ -1,8 +1,4 @@
-# This is the canonical package information.
-__author__ = "Andrew Dunham"
-__license__ = "Apache"
-__copyright__ = "Copyright (c) 2012-2013, Andrew Dunham"
-__version__ = "0.0.21"
+__version__ = "0.0.23"
 
 from .multipart import (
     BaseParser,

{python_multipart-0.0.21 → python_multipart-0.0.23}/python_multipart/multipart.py

@@ -375,7 +375,9 @@ class File:
 
         # Split the extension from the filename.
         if file_name is not None:
-            base, ext = os.path.splitext(file_name)
+            # Extract just the basename to avoid directory traversal
+            basename = os.path.basename(file_name)
+            base, ext = os.path.splitext(basename)
             self._file_base = base
             self._ext = ext
 
@@ -934,7 +936,7 @@ class QuerystringParser(BaseParser):
 
         self.state = state
         self._found_sep = found_sep
-        return len(data)
+        return length
 
     def finalize(self) -> None:
         """Finalize this parser, which signals to that we are finished parsing,
@@ -1782,7 +1784,6 @@ def create_form_parser(
     headers: dict[str, bytes],
     on_field: OnFieldCallback | None,
     on_file: OnFileCallback | None,
-    trust_x_headers: bool = False,
     config: dict[Any, Any] = {},
 ) -> FormParser:
     """This function is a helper function to aid in creating a FormParser
@@ -1795,8 +1796,6 @@ def create_form_parser(
         headers: A dictionary-like object of HTTP headers.  The only required header is Content-Type.
         on_field: Callback to call with each parsed field.
         on_file: Callback to call with each parsed file.
-        trust_x_headers: Whether or not to trust information received from certain X-Headers - for example, the file
-            name from X-File-Name.
         config: Configuration variables to pass to the FormParser.
     """
     content_type: str | bytes | None = headers.get("Content-Type")
@@ -1812,11 +1811,8 @@ def create_form_parser(
     # We need content_type to be a string, not a bytes object.
     content_type = content_type.decode("latin-1")
 
-    # File names are optional.
-    file_name = headers.get("X-File-Name")
-
     # Instantiate a form parser.
-    form_parser = FormParser(content_type, on_field, on_file, boundary=boundary, file_name=file_name, config=config)
+    form_parser = FormParser(content_type, on_field, on_file, boundary=boundary, config=config)
 
     # Return our parser.
     return form_parser

python_multipart-0.0.23/tests/test_file.py

@@ -0,0 +1,26 @@
+from pathlib import Path
+
+from python_multipart.multipart import File
+
+
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path) -> None:
+    upload_dir = tmp_path / "upload"
+    upload_dir.mkdir()
+
+    # When the file_name provided has a leading slash, we should only use the basename.
+    # This is to avoid directory traversal.
+    to_upload = tmp_path / "foo.txt"
+
+    file = File(
+        bytes(to_upload),
+        config={
+            "UPLOAD_DIR": bytes(upload_dir),
+            "UPLOAD_KEEP_FILENAME": True,
+            "UPLOAD_KEEP_EXTENSIONS": True,
+            "MAX_MEMORY_FILE_SIZE": 10,
+        },
+    )
+    file.write(b"123456789012")
+    assert not file.in_memory
+    assert Path(upload_dir / "foo.txt").exists()
+    assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"

{python_multipart-0.0.21 → python_multipart-0.0.23}/tests/test_multipart.py

@@ -1371,6 +1371,7 @@ class TestFormParser(unittest.TestCase):
         self.assertEqual(calls, 3)
 
 
+@parametrize_class
 class TestHelperFunctions(unittest.TestCase):
     def test_create_form_parser(self) -> None:
         r = create_form_parser({"Content-Type": b"application/octet-stream"}, None, None)