Fixed #31293 -- Allowed MultiPartParser to handle double-quoted encoded headers.

This commit is contained in:
007 2020-02-21 13:25:22 +08:00 committed by Mariusz Felisiak
parent a21f7b91db
commit e65fea9292
2 changed files with 45 additions and 3 deletions

View File

@ -664,12 +664,12 @@ def parse_header(line):
if p.count(b"'") == 2: if p.count(b"'") == 2:
has_encoding = True has_encoding = True
value = p[i + 1:].strip() value = p[i + 1:].strip()
if has_encoding:
encoding, lang, value = value.split(b"'")
value = unquote(value.decode(), encoding=encoding.decode())
if len(value) >= 2 and value[:1] == value[-1:] == b'"': if len(value) >= 2 and value[:1] == value[-1:] == b'"':
value = value[1:-1] value = value[1:-1]
value = value.replace(b'\\\\', b'\\').replace(b'\\"', b'"') value = value.replace(b'\\\\', b'\\').replace(b'\\"', b'"')
if has_encoding:
encoding, lang, value = value.split(b"'")
value = unquote(value.decode(), encoding=encoding.decode())
pdict[name] = value pdict[name] = value
return key, pdict return key, pdict

View File

@ -162,6 +162,48 @@ class FileUploadTests(TestCase):
response = self.client.request(**r) response = self.client.request(**r)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
def test_unicode_file_name_rfc2231_with_double_quotes(self):
payload = client.FakePayload()
payload.write('\r\n'.join([
'--' + client.BOUNDARY,
'Content-Disposition: form-data; name="file_unicode"; '
'filename*="UTF-8\'\'%s"' % quote(UNICODE_FILENAME),
'Content-Type: application/octet-stream',
'',
'You got pwnd.\r\n',
'\r\n--' + client.BOUNDARY + '--\r\n',
]))
r = {
'CONTENT_LENGTH': len(payload),
'CONTENT_TYPE': client.MULTIPART_CONTENT,
'PATH_INFO': '/unicode_name/',
'REQUEST_METHOD': 'POST',
'wsgi.input': payload,
}
response = self.client.request(**r)
self.assertEqual(response.status_code, 200)
def test_unicode_name_rfc2231_with_double_quotes(self):
payload = client.FakePayload()
payload.write('\r\n'.join([
'--' + client.BOUNDARY,
'Content-Disposition: form-data; name*="UTF-8\'\'file_unicode"; '
'filename*="UTF-8\'\'%s"' % quote(UNICODE_FILENAME),
'Content-Type: application/octet-stream',
'',
'You got pwnd.\r\n',
'\r\n--' + client.BOUNDARY + '--\r\n'
]))
r = {
'CONTENT_LENGTH': len(payload),
'CONTENT_TYPE': client.MULTIPART_CONTENT,
'PATH_INFO': '/unicode_name/',
'REQUEST_METHOD': 'POST',
'wsgi.input': payload,
}
response = self.client.request(**r)
self.assertEqual(response.status_code, 200)
def test_blank_filenames(self): def test_blank_filenames(self):
""" """
Receiving file upload when filename is blank (before and after Receiving file upload when filename is blank (before and after