python-multipart 0.0.7__tar.gz → 0.0.8__tar.gz

{python_multipart-0.0.7 → python_multipart-0.0.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: python-multipart
-Version: 0.0.7
+Version: 0.0.8
 Summary: A streaming multipart parser for Python
 Project-URL: Homepage, https://github.com/andrew-d/python-multipart
 Project-URL: Documentation, https://andrew-d.github.io/python-multipart/

{python_multipart-0.0.7 → python_multipart-0.0.8}/multipart/__init__.py

@@ -2,7 +2,7 @@
 __author__ = "Andrew Dunham"
 __license__ = "Apache"
 __copyright__ = "Copyright (c) 2012-2013, Andrew Dunham"
-__version__ = "0.0.7"
+__version__ = "0.0.8"
 
 
 from .multipart import (

{python_multipart-0.0.7 → python_multipart-0.0.8}/multipart/multipart.py

@@ -2,7 +2,6 @@ from .decoders import *
 from .exceptions import *
 
 import os
-import re
 import sys
 import shutil
 import logging
@@ -67,16 +66,6 @@ lower_char = lambda c: c | 0x20
 ord_char = lambda c: c
 join_bytes = lambda b: bytes(list(b))
 
-# These are regexes for parsing header values.
-SPECIAL_CHARS = re.escape(b'()<>@,;:\\"/[]?={} \t')
-QUOTED_STR = br'"(?:\\.|[^"])*"'
-VALUE_STR = br'(?:[^' + SPECIAL_CHARS + br']+|' + QUOTED_STR + br')'
-OPTION_RE_STR = (
-    br'(?:;|^)\s*([^' + SPECIAL_CHARS + br']+)\s*=\s*(' + VALUE_STR + br')'
-)
-OPTION_RE = re.compile(OPTION_RE_STR)
-QUOTE = b'"'[0]
-
 
 def parse_options_header(value: Union[str, bytes]) -> Tuple[bytes, Dict[bytes, bytes]]:
     """
@@ -110,6 +99,11 @@ def parse_options_header(value: Union[str, bytes]) -> Tuple[bytes, Dict[bytes, b
     options = {}
     for param in params:
         key, value = param
+        # If the value returned from get_params() is a 3-tuple, the last
+        # element corresponds to the value.
+        # See: https://docs.python.org/3/library/email.compat32-message.html
+        if isinstance(value, tuple):
+            value = value[-1]
         # If the value is a filename, we need to fix a bug on IE6 that sends
         # the full file path instead of the filename.
         if key == 'filename':

{python_multipart-0.0.7 → python_multipart-0.0.8}/tests/test_multipart.py

@@ -270,6 +270,16 @@ class TestParseOptionsHeader(unittest.TestCase):
         t, p = parse_options_header(b'text/plain; filename="C:\\this\\is\\a\\path\\file.txt"')
 
         self.assertEqual(p[b'filename'], b'file.txt')
+    
+    def test_redos_attack_header(self):
+        t, p = parse_options_header(b'application/x-www-form-urlencoded; !="\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\')
+        # If vulnerable, this test wouldn't finish, the line above would hang
+        self.assertIn(b'"\\', p[b'!'])
+
+    def test_handles_rfc_2231(self):
+        t, p = parse_options_header(b'text/plain; param*=us-ascii\'en-us\'encoded%20message')
+
+        self.assertEqual(p[b'param'], b'encoded message')
 
 
 class TestBaseParser(unittest.TestCase):