larger file content is prepended with CR LF

[naktinis]

Starting with werkzeug version 2.3.0, posting payload content that is larger than 65575 bytes will result in two extra bytes prepended to the file content. Version 2.2.3 and earlier doesn't have this issue (meaning, in earlier versions the server prints the exact same thing in both cases, as expected).

In the test below I send two files. They're both identical with the only difference being that file_a.txt is 65428 bytes, while file_b.txt is 65429 (extra bytes in the request body are added by headers, multipart format etc.).

Test input files are attached.

Speculation: since it's close to 2**16 (65536), maybe it has something to do with that.

Client:

import requests

# This will print b'xxxxxxxxxx' on the server.
requests.post('http://127.0.0.1:9999/', files={'hello': open('file_a.txt')})

# This will print b'\r\nxxxxxxxxxx' on the server.
requests.post('http://127.0.0.1:9999/', files={'hello': open('file_b.txt')})

Server:

from flask import Flask, request
app = Flask(__name__)


@app.route('/', methods=['POST'])
def route():
    print(request.headers['content-length'])
    print(request.files['hello'].stream.read()[:10])
    return ''


if __name__ == '__main__':
    app.run(host='127.0.0.1', port=9999)

file_a.txt
file_b.txt

Environment:

• Python version: 3.11 (but also saw the same behavior on 3.8)
• Werkzeug version: 2.3.2 (earliest one I could reproduce this in was 2.3.0)

[davidism]

Related to #2658. Looks like PR #2639 missed something when fixing support for empty fields. @pgjones said he'd be able to look at it after the weekend. If anyone else wants to help debug the parser that would be appreciated.