python-multipart 0.0.6__tar.gz → 0.0.8__tar.gz

{python_multipart-0.0.6 → python_multipart-0.0.8}/PKG-INFO

@@ -1,10 +1,10 @@
 Metadata-Version: 2.1
 Name: python-multipart
-Version: 0.0.6
+Version: 0.0.8
 Summary: A streaming multipart parser for Python
 Project-URL: Homepage, https://github.com/andrew-d/python-multipart
 Project-URL: Documentation, https://andrew-d.github.io/python-multipart/
-Project-URL: Changelog, https://github.com/andrew-d/python-multipart/tags
+Project-URL: Changelog, https://github.com/andrew-d/python-multipart/blob/master/CHANGELOG.md
 Project-URL: Source, https://github.com/andrew-d/python-multipart
 Author-email: Andrew Dunham <andrew@du.nham.ca>
 License-Expression: Apache-2.0
@@ -28,7 +28,7 @@ Requires-Dist: atomicwrites==1.2.1; extra == 'dev'
 Requires-Dist: attrs==19.2.0; extra == 'dev'
 Requires-Dist: coverage==6.5.0; extra == 'dev'
 Requires-Dist: hatch; extra == 'dev'
-Requires-Dist: invoke==1.7.3; extra == 'dev'
+Requires-Dist: invoke==2.2.0; extra == 'dev'
 Requires-Dist: more-itertools==4.3.0; extra == 'dev'
 Requires-Dist: pbr==4.3.0; extra == 'dev'
 Requires-Dist: pluggy==1.0.0; extra == 'dev'
@@ -65,5 +65,5 @@ If you want to test:
 
 .. code-block:: bash
 
-    $ pip install .[dev]
+    $ pip install '.[dev]'
     $ inv test

{python_multipart-0.0.6 → python_multipart-0.0.8}/README.rst

@@ -24,5 +24,5 @@ If you want to test:
 
 .. code-block:: bash
 
-    $ pip install .[dev]
+    $ pip install '.[dev]'
     $ inv test

{python_multipart-0.0.6 → python_multipart-0.0.8}/multipart/__init__.py

@@ -1,15 +1,15 @@
 # This is the canonical package information.
-__author__    = 'Andrew Dunham'
-__license__   = 'Apache'
+__author__ = "Andrew Dunham"
+__license__ = "Apache"
 __copyright__ = "Copyright (c) 2012-2013, Andrew Dunham"
-__version__   = "0.0.6"
+__version__ = "0.0.8"
 
 
 from .multipart import (
     FormParser,
     MultipartParser,
-    QuerystringParser,
     OctetStreamParser,
+    QuerystringParser,
     create_form_parser,
     parse_form,
 )

{python_multipart-0.0.6 → python_multipart-0.0.8}/multipart/multipart.py

@@ -2,13 +2,14 @@ from .decoders import *
 from .exceptions import *
 
 import os
-import re
 import sys
 import shutil
 import logging
 import tempfile
 from io import BytesIO
 from numbers import Number
+from email.message import Message
+from typing import Dict, Union, Tuple
 
 # Unique missing object.
 _missing = object()
@@ -65,55 +66,50 @@ lower_char = lambda c: c | 0x20
 ord_char = lambda c: c
 join_bytes = lambda b: bytes(list(b))
 
-# These are regexes for parsing header values.
-SPECIAL_CHARS = re.escape(b'()<>@,;:\\"/[]?={} \t')
-QUOTED_STR = br'"(?:\\.|[^"])*"'
-VALUE_STR = br'(?:[^' + SPECIAL_CHARS + br']+|' + QUOTED_STR + br')'
-OPTION_RE_STR = (
-    br'(?:;|^)\s*([^' + SPECIAL_CHARS + br']+)\s*=\s*(' + VALUE_STR + br')'
-)
-OPTION_RE = re.compile(OPTION_RE_STR)
-QUOTE = b'"'[0]
 
-
-def parse_options_header(value):
+def parse_options_header(value: Union[str, bytes]) -> Tuple[bytes, Dict[bytes, bytes]]:
     """
     Parses a Content-Type header into a value in the following format:
         (content_type, {parameters})
     """
+    # Uses email.message.Message to parse the header as described in PEP 594.
+    # Ref: https://peps.python.org/pep-0594/#cgi
     if not value:
         return (b'', {})
 
-    # If we are passed a string, we assume that it conforms to WSGI and does
-    # not contain any code point that's not in latin-1.
-    if isinstance(value, str):            # pragma: no cover
-        value = value.encode('latin-1')
+    # If we are passed bytes, we assume that it conforms to WSGI, encoding in latin-1.
+    if isinstance(value, bytes):  # pragma: no cover
+        value = value.decode('latin-1')
+
+    # For types
+    assert isinstance(value, str), 'Value should be a string by now'
 
     # If we have no options, return the string as-is.
-    if b';' not in value:
-        return (value.lower().strip(), {})
+    if ";" not in value:
+        return (value.lower().strip().encode('latin-1'), {})
 
     # Split at the first semicolon, to get our value and then options.
-    ctype, rest = value.split(b';', 1)
+    # ctype, rest = value.split(b';', 1)
+    message = Message()
+    message['content-type'] = value
+    params = message.get_params()
+    # If there were no parameters, this would have already returned above
+    assert params, 'At least the content type value should be present'
+    ctype = params.pop(0)[0].encode('latin-1')
     options = {}
-
-    # Parse the options.
-    for match in OPTION_RE.finditer(rest):
-        key = match.group(1).lower()
-        value = match.group(2)
-        if value[0] == QUOTE and value[-1] == QUOTE:
-            # Unquote the value.
-            value = value[1:-1]
-            value = value.replace(b'\\\\', b'\\').replace(b'\\"', b'"')
-
+    for param in params:
+        key, value = param
+        # If the value returned from get_params() is a 3-tuple, the last
+        # element corresponds to the value.
+        # See: https://docs.python.org/3/library/email.compat32-message.html
+        if isinstance(value, tuple):
+            value = value[-1]
         # If the value is a filename, we need to fix a bug on IE6 that sends
         # the full file path instead of the filename.
-        if key == b'filename':
-            if value[1:3] == b':\\' or value[:2] == b'\\\\':
-                value = value.split(b'\\')[-1]
-
-        options[key] = value
-
+        if key == 'filename':
+            if value[1:3] == ':\\' or value[:2] == '\\\\':
+                value = value.split('\\')[-1]
+        options[key.encode('latin-1')] = value.encode('latin-1')
     return ctype, options
 
 

{python_multipart-0.0.6 → python_multipart-0.0.8}/pyproject.toml

@@ -9,9 +9,7 @@ description = "A streaming multipart parser for Python"
 readme = "README.rst"
 license = "Apache-2.0"
 requires-python = ">=3.7"
-authors = [
-    { name = "Andrew Dunham", email = "andrew@du.nham.ca" },
-]
+authors = [{ name = "Andrew Dunham", email = "andrew@du.nham.ca" }]
 classifiers = [
     'Development Status :: 5 - Production/Stable',
     'Environment :: Web Environment',
@@ -41,7 +39,7 @@ dev = [
     "pytest==7.2.0",
     "pytest-cov==4.0.0",
     "PyYAML==5.1",
-    "invoke==1.7.3",
+    "invoke==2.2.0",
     "pytest-timeout==2.1.0",
     "hatch",
 ]
@@ -49,17 +47,14 @@ dev = [
 [project.urls]
 Homepage = "https://github.com/andrew-d/python-multipart"
 Documentation = "https://andrew-d.github.io/python-multipart/"
-Changelog = "https://github.com/andrew-d/python-multipart/tags"
+Changelog = "https://github.com/andrew-d/python-multipart/blob/master/CHANGELOG.md"
 Source = "https://github.com/andrew-d/python-multipart"
 
 [tool.hatch.version]
 path = "multipart/__init__.py"
 
 [tool.hatch.build.targets.wheel]
-packages = [
-    "multipart",
-]
+packages = ["multipart"]
+
 [tool.hatch.build.targets.sdist]
-include = [
-    "/multipart",
-]
+include = ["/multipart", "/tests"]

{python_multipart-0.0.6/multipart → python_multipart-0.0.8}/tests/test_multipart.py

@@ -1,8 +1,6 @@
 import os
 import sys
-import glob
 import yaml
-import base64
 import random
 import tempfile
 import unittest
@@ -12,9 +10,9 @@ from .compat import (
     slow_test,
 )
 from io import BytesIO
-from unittest.mock import MagicMock, Mock, patch
+from unittest.mock import Mock
 
-from ..multipart import *
+from multipart.multipart import *
 
 
 # Get the current directory for our later test cases.
@@ -272,6 +270,16 @@ class TestParseOptionsHeader(unittest.TestCase):
         t, p = parse_options_header(b'text/plain; filename="C:\\this\\is\\a\\path\\file.txt"')
 
         self.assertEqual(p[b'filename'], b'file.txt')
+    
+    def test_redos_attack_header(self):
+        t, p = parse_options_header(b'application/x-www-form-urlencoded; !="\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\')
+        # If vulnerable, this test wouldn't finish, the line above would hang
+        self.assertIn(b'"\\', p[b'!'])
+
+    def test_handles_rfc_2231(self):
+        t, p = parse_options_header(b'text/plain; param*=us-ascii\'en-us\'encoded%20message')
+
+        self.assertEqual(p[b'param'], b'encoded message')
 
 
 class TestBaseParser(unittest.TestCase):