FileStorage.mode attribute should be rb+

[Colin-b]

When receiving files, werkzeug.datastructures.FileStorage is used. The underlying stream is determined by the default stream factory.

I assume that for most people (if not all?), tempfile.SpooledTemporaryFile will exists, so the following line of code will be executed.

Setting the mode to wb+, thus using an io.BytesIO instance underneath.

When accessing the mode attribute from werkzeug.datastructures.FileStorage, the one from tempfile.SpooledTemporaryFile will be used, and as there is no mode for io.BytesIO, the one set in the constructor will be used, resulting in a write-only mode being returned.

To my knowledge, FileStorage is only returned to read files, so the mode exposed to clients should be read-only.

You can reproduce the bug by checking filestorage.mode while executing this test case.

The impact I see is that pandas seems to rely on mode to determine if a file is readable or not. Changing it to "rb+" instead of "wb+" in the stream factory solves the issue (and avoid sending misleading information to client).

Environment:

• Python version: 3.8.6 (Windows 10, 64 bits python)
• Werkzeug version: 1.0.1

[davidism]

I guess the distinction that w+ means truncate and r+ means don't isn't relevant when opening these tempfiles, so changing it seems fine.

That said, if Pandas isn't recognizing + as meaning the file is open for reading (and writing), then that's a bug in Pandas. You should report that to them.

[davidism]

It looks like you never reported this issue to Pandas. You need to report it to them as well, they should be recognizing that wb+ allows reading.