Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.7] bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660) #9969

Merged
merged 5 commits into from
Oct 30, 2018
Merged

[2.7] bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660) #9969

merged 5 commits into from
Oct 30, 2018

Conversation

matthewbelisle-wf
Copy link
Contributor

@matthewbelisle-wf matthewbelisle-wf commented Oct 19, 2018
edited by bedevere-bot
Loading

Adding max_num_fields to cgi.FieldStorage to make DOS attacks harder by
limiting the number of MiniFieldStorage objects created by FieldStorage.

(cherry picked from commit 2091448)

https://bugs.python.org/issue34866

@bedevere-bot bedevere-bot mentioned this pull request Oct 19, 2018
Merged
@matthewbelisle-wf
bpo-34866: Adding max_num_fields to cgi.FieldStorage (pythonGH-9660)
16bf780 
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.

(cherry picked from commit 2091448)
@matthewbelisle-wf
Copy link
Contributor Author

@ambv @methane Here is the 2.7 backport of #9660. While doing this backport I noticed a logic bug in #9660 that my unit tests did not catch, and I'm making another bpo issue to fix it in 3.x. Sorry for the extra work there, it was my mistake. I'll CC you on that PR.

@matthewbelisle-wf matthewbelisle-wf mentioned this pull request Oct 22, 2018
Merged
@methane methane closed this Oct 23, 2018
@methane methane reopened this Oct 23, 2018
vstinner
vstinner requested changes Oct 24, 2018
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You must update the documentation as well: https://bugs.python.org/issue34866#msg328401

@bedevere-bot
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@matthewbelisle-wf
Copy link
Contributor Author

Thanks for the info @vstinner , I added those changes in 90ab0d5.

For @bedevere-bot : I have made the requested changes; please review again.

@bedevere-bot
Copy link

Thanks for making the requested changes!

@vstinner: please review the changes made to this pull request.

vstinner
vstinner approved these changes Oct 30, 2018
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Please write a PR for the master branch to document the new parameter.

This was referenced Oct 30, 2018
Merged
Merged
Merged
@matthewbelisle-wf
Copy link
Contributor Author

Thanks @vstinner . Here are the PRs for master, 3.7, and 3.6:

#10247
#10246
#10248

vstinner
vstinner reviewed Oct 30, 2018
View reviewed changes
Doc/library/urlparse.rst Outdated
Use the :func:`urllib.urlencode` function to convert such dictionaries into
query strings.

.. versionadded:: 2.6
Copied from the :mod:`cgi` module.

.. versionchanged:: 2.7.16
Added *max_num_fields* param.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, please replace "param" with "parameter.

vstinner
vstinner reviewed Oct 30, 2018
View reviewed changes
Doc/library/urlparse.rst Outdated
Use the :func:`urllib.urlencode` function to convert such lists of pairs into
query strings.

.. versionadded:: 2.6
Copied from the :mod:`cgi` module.

.. versionchanged:: 2.7.16
Added *max_num_fields* param.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.

@matthewbelisle-wf
Copy link
Contributor Author

@vstinner Sure thing, fixed in commit 1767079.

@matthewbelisle-wf
Copy link
Contributor Author

Okay this is ready for review again @vstinner

@vstinner vstinner merged commit bc6f74a into python:2.7 Oct 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@matthewbelisle-wf @bedevere-bot @vstinner @methane @the-knights-who-say-ni